With the average cost of a cyberattack at $4.24 million in 2021, and with the health care sector the hardest-hit by ransomware attacks in 2021, it is hard to believe every health care provider – from small to large – does not include Health Insurance Portability and Accountability Act compliance as a top priority. Understandably, small to medium health care providers do not have the human or financial resources to staff an entire department of HIPAA privacy and security officials similar to large health care providers and health care systems. However, gone are the days of doing nothing and trying to fly under the radar.
Cyber-incidents and data breaches in the health care sector have become increasingly frequent and severe and will continue to do so for as long as there is a dark cyber underworld reaping tremendous profits from cybercrime, and until we find a “cure” for bad employees and human error. The corollary has been enhanced by federal and state enforcement activities and resulting penalties and fines. Combined, the human resources and financial expenses of managing a HIPAA breach or cyberattack, making required regulatory notices, and paying penalties that may be imposed by federal and state agencies can cripple small and medium health care providers.
A robust HIPAA compliance program must focus on both HIPAA Privacy Rule compliance and HIPAA Security Rule compliance. While the Privacy Rule focuses largely on principles for permissible uses and disclosures of protected health information, or PHI, the Security Rule requires the establishment and implementation of appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic PHI, or e-PHI — that is, PHI maintained in or transmitted by electronic media. Implementing all of the required and addressable “implementation specifications” of the HIPAA Security Rule is no easy task and requires ongoing security risk analyses to identify threats and vulnerabilities as well as security initiatives to address identified risks and vulnerabilities and to maintain an appropriate level of security.
The stick, of course, is the potential for federal and state financial penalties and corrective action plans, and, for criminal HIPAA and state privacy law violations, potential jail time.
Recent mergers and acquisitions in the health care industry around the state:
Penalties for HIPAA breach incidents and violations can mount rapidly, including penalties in the hundreds of thousands or millions of dollars. Recently, the federal government began offering a potential carrot through amendments to the Health Information Technology for Economic and Clinical Health (HITECH) Act. The amendments, in summary, require the U.S. Department of Health & Human Services to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” in determining fines and other penalties that may be imposed by DHHS. As a result, the agency may reduce or eliminate a fine or other penalty that otherwise may have been imposed for a breach incident or HIPAA violation, or may terminate early an ongoing audit or investigation of a covered entity or business associate.
Recognized security practices are “the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”
The HITECT Act amendments provide that specific security practices will be as determined by the covered entity or business associate, consistent with the HIPAA Security Rule. Guidance for such organizations can be obtained from a number of resources, including DHHS and the National Institute of Standards and Technology within the U.S. Department of Commerce. DHHS has made available a Section 405(d) website sponsored by the 405(d) Program and Task Group, which is a collaborative effort between private industry and the federal government aimed at, among other things, raising awareness and providing vetted cybersecurity practices.
The 405(d) Task Group has identified the “Top 5 Threats” currently facing the health care and public health (HPH) sector: email phishing; ransomware; loss or theft of equipment; insider, accidental or intentional data loss; and attacks against connected medical devices.
The 405(d) Task Group offers resources on “10 Best Practices” for combating the Top 5 Threats and strengthening cybersecurity capabilities in the HPH sector. In addition, on Oct. 31, 2022, the last day of National Cybersecurity Awareness Month, DHHS made available a video presentation on recognized security practices to educate organizations covered under HIPAA on recommended security practices to assist in safeguarding patient information from cyberattacks.
Even though they do not have the extensive human or financial resources available to large organizations, small and medium health care providers cannot afford not to comply with HIPAA. Providers of every size must make it an imperative to take HIPAA compliance seriously and protect their patients’ and their businesses’ electronic information and electronic systems against ever-growing and ever-changing cyber threats. This imperative includes having a living and breathing, robust security program that includes frequent evaluation of threats and vulnerabilities and implementation of risk management plans to address those threats and vulnerabilities, including recognized security practices.
Lani M. Dornfeld is a member of Brach Eichler LLC and part of its Healthcare Law Practice group. She regularly assists health care provider clients with compliance, corporate and transactional matters and is certified in health care privacy compliance by the Compliance Certification Board.