Shoring Up Safe Harbor
By Selena Chavis
For The Record
Vol. 34 No. 3 P. 10
As the industry strives to define “recognized security practices,” experts weigh in on best practices.
In January 2021, an amendment to the HITECH Act was signed into law to create a safe harbor for covered entities (CEs) and business associates (BAs) that have implemented “recognized security best practices” prior to a data breach. Many across the industry applauded the development as a move in the right direction following active regulatory oversight in 2020—a year that saw the Office for Civil Rights (OCR) impose its most ever HIPAA violation penalties on CEs and BAs.
AHIMA, the American Medical Association, the College of Healthcare Information Management Executives, and the Medical Group Management Association wrote a collective opinion about the move, noting that “this will incentivize the adoption of cybersecurity practices by acknowledging that providers who have been acting in good faith should not be penalized by OCR and promote increased communication between providers and HHS [Health and Human Services] during the crucial early stages of an attack.”
While the amendment—HR 7898—does not prevent the OCR from penalizing BAs and CEs financially, it does provide a framework that encourages the regulatory body to consider what security protocols existed in the 12 months preceding a breach before imposing financial consequences. And while the hope is that the mitigation of fines, audits, and remedies will incentivize the adoption of “recognition of security practices,” the amendment still does not require implementation of these practices by CEs and BAs, nor does it provide criteria to use when selecting which category of recognized security practices to implement.
Susan Lucci, RHIA, CHPS, CHDS, AHDI-F, senior privacy and security consultant with tw-Security, suggests that compliance must be demonstrated with standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c) (15) of the National Institute of Standards and Technology (NIST), the approaches promulgated under section 405(d) of the 2015 Cybersecurity Act and other programs that address cybersecurity and that are developed, recognized, or promulgated through regulations consistent with the HIPAA Security Rule.
“This means ‘recognized security practices’ are indeed required in order to meet the intent of the safe harbor law,” Lucci says. “The way organizations can show they are aligned with these standards is by reviewing policies, procedures and practices and comparing them to the well-established NIST standards of cybersecurity. If gaps are present, they must be remediated before the safe harbor law would apply.” Kelly McLendon, RHIA, CHPS, senior vice president of compliance and regulatory affairs with CompliancePro Solutions, believes that, because it’s not a mandate, the overall intent of the HR 7898 may prove too lax. “I’d like to see it as a mandate, but I’m glad it’s getting exposure and push even as it is,” he says.
Lucci acknowledges that there is no way to eliminate all risk, but there are best practices that health care organizations can take to layer security measures and minimize risk. “Good security does cost time and money to implement,” she says. “In the long run, good security will better protect PHI [protected health information], and save money and, most importantly, the organization’s reputation.”
McLendon says the report “Health Industry Cybersecurity Practices [HICP]: Managing Threats and Protecting Patients” can form the foundation of one approach to meeting the threshold of recognized security practices.
“HICP represents security controls to protect against ever-present, increasing, and changing risks to the systems and data within health care systems,” he says. “This is an example of proof of recognized security practices which are now being asked for by regulators, and also investors and cyber liability insurance providers.”
The Cybersecurity Act of 2015 facilitates voluntary, private-public cybersecurity threat information sharing and clarifies the National Cybersecurity & Communications Information Center’s role in evaluating cybersecurity threats and risks. In addition, McLendon notes that the act also made provisions for HHS to develop a set of “voluntary cybersecurity standards for health care that are consistent with, but not a replacement for, HIPAA security requirements.”
A public-private taskforce later created these consensus-based guidelines that detail practical, cost-effective cybersecurity practices within HICP. Organized into 10 Cybersecurity Best Practice areas, HICP is built on the NIST Cybersecurity Framework. Therefore, it has a common lineage to HIPAA and other types of security controls already mandated by NIST for the many types of computer systems found both in government and the private sector.
McLendon points out that HICP controls and suggestions are flexible and designed to be used by health care organizations of all sizes.
The Impact of HR 7898
McLendon notes that it’s too early to know whether HR 7898 is actually incentivizing CEs and BAs to take action and shore up security practices. Many experts believe that if organizations have adopted appropriate security standards and have documented those measures, they will likely meet the safe harbor threshold, although ultimately, the decision for financial penalties still falls under the OCR’s discretion.
“I think most well-run IT ships are doing a lot to defend against cyberattacks, but with less than an optimal focus on cyber, we have what we have today—much vulnerability out there,” McLendon says. “I think this is a good set of first steps to help identify and close those vulnerabilities. What is important, I think, is that each site is assessing and planning remediation of the most critical vulnerabilities ASAP. Then make their vulnerability/remediation list a priority until they are all remediated.”
The increase in cybercriminal activity has led many organizations to adopt strong cybersecurity policies, Lucci says. “The health care industry has taken serious steps to minimize security vulnerabilities that exist. This includes hardening network security, multifactor authentication, and intrusion detection,” she explains. “It also includes increased and more frequent training for the workforce to make them more aware of the many ways the bad guys try to get to PHI.”
Of particular concern are social engineering and phishing attacks that aim to convince people to click on a link or an attachment. Lucci says these messages generally include a compelling message with a sense of urgency, such as “Your response is needed immediately.”
“They may appear to be from highranking individuals within the organization—people you know and trust, but their request for information like passwords and other personal data should be an immediate red flag,” she says. “If ever in doubt, report the message to your IT department or the Help Desk before taking any action.”
While experts believe there is still much cybersecurity work to be done, Lucci says that HR 7898 is important in that it helps protect health care organizations that are striving to do the right thing. “The notion that good organizations with excellent privacy and security protocols in place are subject to huge fines even though they are in compliance with the regulations under HIPAA makes no sense,” she notes.
Lucci offers the following example: “Say your house, although locked and secure, is broken into and the perpetrators steal everything. Imagine if the police charge you with the crime and charge you a fee. That’s our current data breach and fine structure in health care. Bad things happen to very good organizations that have done their compliance diligence.”
On the other hand, Lucci warns that CEs and BAs that have not done all they can to budget and deliver on security risks throughout their respective organizations need to remember that it’s not if but when a data breach will occur. “Good practices are one thing. Policies and procedures, education, and adherence to policies are the keys to minimizing these risks,” she says. “Organizations that do all the right things have earned the privilege of having the safe harbor law applied when a data breach occurs.”
— Selena Chavis is a Florida-based health care writer.
Data Sharing vs Patient Rights
When it comes to cybersecurity, how and when penalties are levied for data breaches, and where responsibility should fall, there is a lot of discussion about the level of oversight needed. HR 7898 is an outgrowth of those discussions.
Yet, amid all this activity and focus, Twila Brase, RN, PHN, president and cofounder of Citizens Council for Health Freedom (CCHF), suggests that HR 7898 is just another layer of regulation that is meant to distract from the problems of data sharing in general.
“Given that HIPAA is considered a permissive data sharing rule, everything else is window dressing meant to look like it protects patient privacy while patient data are broadly shared with little restriction and no consent,” she emphasizes, adding that it’s always difficult to identify what’s underpinning a new statute or regulation. “We do not know who lobbied Congress [for HR 7898), but it likely included smaller businesses who find it most difficult to comply with expanded statutory requirements. The more requirements are piled on, the less likely the business can be sustained. But larger businesses also likely lobbied to make ‘recognized security practices’ mere recommendations rather than requirements. Cost and government interference in their business is always a concern.”
In tandem with the effort to improve protections around “data sharing,” Brase notes that other movements exist in health care—several of which are undertaken by CCHF—that focus exclusively on patient privacy over data sharing. She suggests that the focus on protecting data sharing misses the point of patient privacy and that the current iteration of HIPAA was pushed by the data industry, health care stakeholders (whom she believes are often also part of the data industry), and the government.
“Patient data are the 21st-century version of gold,” she says. “The 1.5 million business associates and the 702,000 covered entities listed by HHS [Health and Human Services] in a 2010 rule have permission to use the data for a boatload of purposes. Look no further than the definition of payment, treatment, and especially ‘health care operations,’ a nearly 400-word definition which is essentially a list of nonclinical business activities—all permitted by HIPAA without patient consent.”
In Minnesota, CCHF defended the strongest patient privacy and consent law in the country, according to Brase. “We fought the Chamber of Commerce, business groups, health plans, research groups, and others to keep it in place and not have it replaced by ‘conformance to HIPAA,’” she says. “As we explained often to state legislators being pushed to repeal our law and replace it with HIPAA, Minnesota is conformed to HIPAA under the state preemption section, which allows states to enact real privacy laws and requires them to be followed rather than HIPAA’s permissive data share rule.”
In closing, Brase notes her belief that industry and government will continue to support efforts to give patients more protection as long as it “does not actually grant patients privacy or consent rights.” She emphasizes that the data are tremendously valuable, noting that UnitedHealth Group’s Optum is a multibillion-dollar operation. “All they do is patient data,” Brase says.