HIPAA change may hurt or help
Specifically, H. R. 7898 gives the Department of Health and Human Services’ (HHS) HIPAA enforcement arm, the Office for Civil Rights (OCR), additional latitude during the penalty phase of an audit. Essentially, if you’re doing what you’re supposed to be doing, OCR has additional leniency on penalty enforcement. However, if you aren’t doing what you’re supposed to be doing, then that leniency won’t apply, and you may be subject to the full brunt of potential OCR penalties.
The exact verbiage reads as follows (full text can be found here (https://www.congress.gov/116/bills/hr7898/BILLS-116hr7898eh.pdf):
“…when making determinations relating to fines under such section 1176 (as amended by section 11 13410) or such section 1177, decreasing the length and extent of an audit under section 13411, or remedies otherwise agreed to by the Secretary, the Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may—
(1) mitigate fines under section 1176 of the Social Security Act (as amended by section 13410);
(2) result in the early, favorable termination of an audit under section 13411; and
(3) mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title) between the covered entity or business associate and the Department of Health and Human Services.”
The order goes on to cite NIST and the Cybersecurity Act of 2015 as benchmarks for application of this provision. If you’re uncertain about your HIPAA compliance, or if you’re “winging it” and doing it yourself, you may want to take a look at the entire provision. If you’re using Acentec, we have you covered.
My personal opinion is this change is intended to incentivize the healthcare community to adhere to stricter cybersecurity policies and practices, and not to be used as a hammer to enforce additional negligence claims. With that said, the “negligence” conclusion is an indication you will be severely penalized, and it’s advisable to prevent being in a position where that conclusion can even potentially be reached.
Thank you for reading. Click smart.
If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.
For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.
The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.