The Senate Health, Education, Labor and Pensions (HELP) Committee has okayed a very important bill to HIPAA-covered entities – the Lower Health Care Costs (LHCC) Act of 2019.
One key objective of the bill is to enhance the transparency of medical care costs and quality of service. The bill is meant to stop surprise medical bills and be sure that patients are well advised regarding healthcare costs.
The LHCC Act contains a provision that gives healthcare organizations incentives to implement strong cybersecurity strategies by asking the Department of Health and Human Services’ Office for Civil Rights to take into account the good faith security efforts of the organization when deciding enforcement actions.
The HELP committee passed the bipartisan bill with 20 votes to 3. The bill consists of 54 various proposals from 65 senators. With the approval of the bill, HELP committee chairman Lamar Alexander (R-Tenn) expects to present the LHCC Act to the Majority and Minority Leaders for senate approval in July.
A lot of healthcare organizations are requesting OCR to take into account their implementation of security frameworks and other good faith initiatives to boost their security position when making a decision to issue a penalty for noncompliance or not. Several industry groups have proposed a safe harbor for healthcare organizations that choose to adopt a cybersecurity framework such as the framework created by NIST.
The LHCC Act did not propose a safe harbor from enforcement activities, but incentivized healthcare organizations to observe security frameworks, devote resources and time in cybersecurity, and exceed the minimum standards the HIPAA required.
The provision shouldn’t be considered as a ‘get out of jail free’ pass. When OCR issues financial penalties, they are normally for a number of compliance failures and/or abusive violations of HIPAA Rules. Adopting the NIST Cybersecurity Framework in this case is not enough to avoid financial penalties.
The effect of the new requirement may just be nominal. Presently, whenever OCR undertakes a data breach investigatin, it takes into account several factors before deciding to issue financial penalties. In the past, OCR has explained that HIPAA compliance is about reducing, not getting rid of risks. OCR admits that even entities that have strong cybersecurity defenses can still sustain a breach. The security program of the organization is already taken into account when OCR makes a decision about the appropriateness of enforcement actions.
Aside from the provision on HIPAA enforcement, there is a proposal in the bill to require health insurance providers to give patients information like claim data and estimated out-of-pocket-costs via APIs to allow patients make a decision on the best medical plan. This will likewise help in communicating to patients the protection of their privacy and security and the applicable HIPAA and state laws.
There is a concern brought up regarding the risks to individually identifiable health data when being digitally transferred to and from non-HIPAA-covered entities. The bill propopsed that the Government Accountability Office (GAO) should do a study to determine any risks linked to such transmission. Furthermore, a study is needed to determine gaps in privacy and security when transferring health data to third parties using mobile apps developed by those not covered by HIPAA.
The bill must be presented first before the full senate and house. If the bill is not approved by both houses, the provisions relevant to HIPAA may be included in another bill.