A new bill recently passed by a Senate Committee incentivizes healthcare entities to adopt cybersecurity policies, and therefore making it easier for authorities to enforce the Health Insurance Portability and Accountability Act (HIPAA).
The piece of legislation has been introduced to help lower the cost of healthcare, but it touches upon healthcare in that it asks providers to focus on cybersecurity frameworks when designing their security policies.
The Lower Health Care Costs Act of 2019, as it is known, was recently passed by a Senate HELP committee and it now moves to the Senate. The HELP Committee (U.S. Senate’s Health, Education, Labor and Pensions Committee) works on legislation related to healthcare.
Let’s assume that the legislation passes into law. What would that mean for HIPAA enforcement and cybersecurity in the healthcare industry in general?
Well, there is a specific provision, “Improving the Exchange of Health Information”, that could help auditors enforce penalties for HIPAA violations. The provision states that the Department of Health and Human Services must consider what cybersecurity controls a covered entity has implemented when conducting an audit in the event of a HIPAA breach. If the entity in question has not made significant efforts to set up the correct cybersecurity policies, practices and solutions, they could be at risk of hefty fines.
However, on the opposite side of the coin, the new provision could help covered entities prove that they were making an effort to improve cybersecurity by meeting certain thresholds. If those thresholds are met, then covered entities will not face penalties that are quite as harsh.
A large part of the bill is also concerned with how patient data can be kept secure on emerging technology, such as apps, wearable technology and more. Efforts are being made to get to the bottom of just how entities can ensure that patient data remains secure wherever it is stored. Even third parties that are not typically covered under HIPAA, such as mobile apps, are being scrutinized in this provision. As more patient information moves over to these third parties, there is a need to understand existing gaps in security.
The bill is not entirely focused on cybersecurity by any means. It is mainly aimed at consumers, allowing them to get more information about healthcare costs, reducing surprise billing and anti-competitive costs.
It would be a good idea to keep an eye on this bill as it makes its way to the Senate, as it passed comfortably through the first stage, meaning it is probably likely to become law eventually.
If you feel like you need more visibility over the changes being made to patient data or protected health information in your organization, to help prevent HIPAA fines, schedule a demo of LepideAuditor today. Our Data Security Platform allows you to prove to auditors that you have taken steps to secure data, with real time alerting and pre-defined HIPAA reports.