If you are a health or wellness provider that is subject to HIPAA, such as a “covered entity” (health care provider that bills insurance) or “business associate” (such as an information technology vendor that services covered entities) there is good news on the HIPAA security front. Even if you are not technically subject to HIPAA, such as a health coach, you can embrace new guidance on how best to protect any health information you collect.
A new law, 2021 HR 7898, passed earlier this year requires the HIPAA enforcement agency, the Department of Health and Human Services (DHHS), to consider a covered entity or business associate’s efforts on protecting the security of protected health information (PHI).
The new law requires DHHS, when it is considering imposing fines for HIPAA violations or when it is conducting an audit of a covered entity or business associate, to consider “whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place.”
Recognized security practices include adopting the standards, guidelines, best practices, methodologies, procedures and processes developed by:
Other programs and processes that address cybersecurity and that are developed, recognized or promulgated through regulations under other statutory authorities.
What does this mean for HIPAA covered entities and business associates? It means that if you start implementing HIPAA security standards, such as through the NIST Cybersecurity Framework and something bad happens to PHI (it gets lost, or someone hacks into your computer system), DHHS must consider your cybersecurity efforts when deciding if/how to impose a fine. If you are currently under investigation by the DHHS Office of Civil Rights (OCR) and while under investigation you have invested a lot of resources to adopting cybersecurity standards, that should weigh in favor of a smaller penalty.
The new law also makes clear, however, that even if a covered entity or business associate does not start adopting cybersecurity standards outlined in the new law, DHHS should not increase penalties for failure to adopt those standards.
What are some other cybersecurity standards that covered entities and business associates could look at adopting? According to some health lawyers, in addition to the NIST Cybersecurity Framework, the following standards are also good candidates:
ISO/IEC 27000 Family of Standards. ISO stands for the “International Organization for Standarization” and IEC stands for the “International Electrotechnical Commission.” ISO/IEC is an international organization that develops standards in a variety of areas, including information security. For example, ISO270001 outlines requirements for information security management systems in the health care context. It can be used by entities of different sizes. Covered entities and business associates can seek certification for ISO 270001 compliance through certification bodies that meet ISO’s Committee on Conformity Assessment Standards (CASCO).
System and Organization Controls (SOC). Covered entities and business associates could seek a SOC audit from their Certified Public Accountant, which can evaluate data security, availability, confidentiality, processing integrity and privacy.
HITRUST CSF.HITRUST incorporates many of the other standards already mentioned above, including ISO, NIST, HIPAA as well as some others, like the Payment Card Industry Data Security Standard (PCI DSS) and the European Union’s General Data Protection Regulation (GDPR). HITRUST incorporates over 40 international and national privacy and security requirements, and entities can download the HITRUST CSF security framework as well as a risk assessment tool for free on its website. Entities can customize the HITRUST CSF framework to fit within their organization type, size and complexity. HITRUST even has resources for start-up companies that handle personal data. The HITRUST Right Start Program assists and guides start-up organizations to streamline their risk management and compliance process when it comes to keeping personal data private and secure.
So, whether you are subject to HIPAA or not, if you want to be more confident in your data security protocols, there are a number of great resources out there, many for free, to help you analyze your data security risk and then take steps to improve your data privacy and security standards. When you take those steps, the new federal law passed in 2021 will help your chances of getting a reduced penalty should a HIPAA violation occur. At the very least, you can inform your patients and clients that you take data privacy and security seriously by adopting any of the above standards.