[BreachExchange] Bill Spells Out New Factors to Weigh in Setting HIPAA Fines

[Audrey McNeil]

https://www.databreachtoday.com/bill-spells-out-new-factors-to-weigh-in-setting-hipaa-fines-a-15640

Under legislation passed by Congress this weekend that awaits President
Donald Trump's signature, HIPAA enforcers, when considering financial
penalties for compliance violations, would need to determine whether an
organization had implemented "recognized security practices," such as the
National Institute of Standards and Technology's cybersecurity framework.

The legislation, which would modify the HITECH Act, came about after some
healthcare organizations and trade associations complained that the
Department of Health and Human Services was unfairly penalizing entities
reporting breaches of health information that were the result of
cyberattacks and ransomware incidents, notes privacy attorney David
Holtzman, principal of the consulting firm HITprivacy.

Under the bill, the HHS Office for Civil Rights would be required to
consider whether a breached entity has made a good faith attempt to
implement recognized security practices before it issued a HIPAA penalty.

Some observers say the measure could serve as motivation for more
organizations to enhance their security programs.

New Considerations

Under HR 7898, passed by both the House and Senate,OCR - when determining a
HIPAA Security Rule violation penalty, corrective action or duration of an
audit - would consider if an organization had demonstrated recognized
security practices, such as using the NIST framework "and other programs
and processes that address cybersecurity and that are developed, recognized
or promulgated through regulations under other statutory authorities."

The bill would not subject a covered entity or business associate to
liability for electing not to engage in the recognized security practices.
But it also would not limit HHS' authority to enforce the HIPAA Security
Rule, nor would it "supersede or conflict" with obligations under HIPAA.

Rulemaking Needed

"This statute, if signed, would have to be implemented by rulemaking by
HHS, so the key question is when that would happen and what issues the
Biden administration will include in such a proposed rule," says privacy
attorney Iliana Peters of the law firm Polsinelli.

"Further, in my experience, the vast majority of covered entities and
business associates have not implemented practices that comply with either
NIST guidance or other certification programs," she notes. "It will be
interesting to see how much of an impact this type of 'safe harbor' program
would have in practice."

Regulatory attorney Krystyna Monticello of the law firm Attorneys at
Oscislawski says the legislation could potentially help raise the bar in
terms of the security practices adopted by covered entities and their
vendors.

"The bill seems likely to encourage CEs or BAs to adopt more robust
information management programs," she says. "A covered entity or business
associate that chose to implement the NIST or other cybersecurity framework
would likely be looking at additional and more enhanced processes and
security measures to align its practices with these recognized practices,
above and beyond what HIPAA requires, and provide an additional defense in
the event of a security incident or breach."

Smaller entities, she says, "could feel pushed into adopting more stringent
practices at far greater cost and resources than would be appropriate for
their size, resources and operations."

Not Prescriptive

The HIPAA Security Rule "does not get into the details in the same respect
as more comprehensive frameworks, which may specify a minimum level of user
authentication," notes privacy attorney Adam Greene of the law firm Davis
Wright Tremaine.

"This legislation is helpful in that it encourages, but does not mandate,
covered entities and business associates to adopt more comprehensive
frameworks," he says. "HHS' Office for Civil Rights would then take this
into account as a show of information security good faith."

Privacy attorney Kirk Nahra of the law firm WilmerHale adds: "This is a
really useful provision that will formalize what has been the typical
approach from OCR over the years - they do thorough investigations but have
tended not to take action when companies have implemented meaningful and
appropriate security programs - even when something doesn't work in the
program."

The legislation would "make this enforcement approach more of a requirement
than a general strategy," he says.

Although the legislation would require HHS to consider whether recognized
security practices were implemented, it would not change the organization's
underlying obligations to comply with the HIPAA Security Rule, Monticello
says.

"For example, having in place a robust program that complies with NIST
standards could potentially help a CE demonstrate that the breach could not
have reasonably been avoided and that the CE went above and beyond the
safeguards required under the security rule, which is relevant to the
penalties that may be imposed under HIPAA," she notes. "However, it would
not require OCR to reduce any penalties or take other action related to its
investigatory and enforcement activities."

The legislation defines broadly what it considers to be "recognized
security practices" and does not require OCR to create a more comprehensive
list of recognized security practices, Monticello notes.

It's not yet clear what other cybersecurity programs and processes OCR
might consider in its HIPAA enforcement determinations if the bill become a
law, she says. "This could afford some flexibility to organizations relying
upon other industry best practices. However, it would also appear to give
OCR considerable discretion during audits and other enforcement activity."

Timing of Rulemaking

Carrying out the legislation with timely rulemaking could prove challenging
because other HIPAA changes are already in the works.

Earlier this month, HHS OCR issued a notice of proposed rulemaking to
modify the HIPAA Privacy Rule, including streamlining certain requirements
for notices of privacy practices.

Holtzman points out that several provisions of the HITECH Act, which was
enacted 10 years ago, have yet to be carried out through rulemaking. Those
include provisions calling for sharing with consumers the proceeds of fines
and penalties levied against healthcare organizations as well as an
"accounting for disclosures" provision that would enable patients to know
who has received information from their electronic health records.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20201221/e7273c08/attachment.html>