HIPAA Compliance Clashing with Healthcare Cybersecurity

The College of Healthcare Information Management Executives (CHIME) has recently told Congress that solely complying with HIPAA Rules is not enough to prevent data breaches. CHIME also claims that, in certain cases, HIPAA compliance can result in a lessening of healthcare cybersecurity defences.

President and CEO of CHIME, Russell P. Branzell and CHCIO Chair of the CHIME Board of Trustees Shafiq Rab recently responded to a request for information (RFI) by Congress on ways to tackle rising healthcare costs.

In a letter to Lamar Alexander, Chairman of the Committee on Health, Education, Labor, and Pensions (HELP) on March 1, 2019, they explained that the use of technology in healthcare helps to reduce costs and can improve efficiency as well as outcomes if used correctly.

It was stated in the letter that “significant advancements in healthcare technology have been made possible through policy, however, often overly stringent prescriptive mandates have added to healthcare costs, impeded innovation and increased burdens on clinicians.”

In order to improve the level of care that can be provided to patients, the use of technology and data sharing are vital. Despite this, both introduce new risks to the confidentiality, integrity, and availability of healthcare data. While policies are being introduced to encourage the use of technology and improve interoperability, it is also crucial for cybersecurity measures to be put in place to protect patient data. Security requirements must be included alongside any policy recommendations.

Chime also wrote in the letter “as we increase interoperability, additional threats to data integrity will arise. Without proper safeguards, the safe and secure transmission of sensitive data will continue to be a challenge and will hinder efforts to care outcomes.”

Healthcare organizations that are compliant with HIPAA Rules will have met the minimum standards set by the HHS for healthcare data privacy and security. However, that does not mean that HIPAA-compliant organizations have a good level of protection against cyberattacks. HIPAA is a complex legislation to be compliant with and requires a significant amount of resources. That ultimately means fewer resources are then available to tackle cybersecurity issues the entity may have and to protect themselves against actual cyber threats.

Healthcare providers are dedicating resources in order to meet standards set by the HHS and its Office for Civil Rights (OCR), even though the measures introduced for HIPAA compliance may not address the most serious cyber threats to them. As a result, their ability to protect patient data could be diminished rather than strengthened as a result.

CHIME also believes that enforcement of compliance with HIPAA Rules, such as breach investigations and compliance audits, are unduly punishing. OCR appears to be more focused on dishing out punishment rather than helping healthcare providers recover from a breach, learn from it, and share the lessons learned so other healthcare organizations can also benefit.

Healthcare providers should not be burdened with protecting PHI in areas outside their control. CHIME suggests there should be an introduction of safe harbors “for organizations that demonstrate, and certify, cybersecurity readiness.” This may require amendments to be made to the HITECH Act, as well as a change to the language used for the definition of a breach so it no longer presumes guilt.

CHIME has also called for the HHS to make better guidance available for healthcare providers to help them assess threats that are within their control. They also believe that healthcare providers should not have to claim full responsibility for protecting PHI outside of their domain. CHIME has also suggested that the balance of responsibility for security needs to have a more even split between covered entities and their business associates.

OCR should assess the level of effort that has gone into protecting systems and PHI when considering enforcement actions. Policies should then be pursued that reward healthcare providers for good faith efforts to prevent cyberattacks, such as demonstrating sufficient compliance with NIST’s Cybersecurity Framework (CSF).

Measures such as these will help encourage healthcare providers to invest more of their resources in cybersecurity. This, in turn, will help to prevent more breaches from occurring and allow healthcare providers to avoid the high costs of mitigating those breaches, which will ultimately result in reduced healthcare costs.