HIPAA Compliance in Conflict with Healthcare Cybersecurity

The College of Healthcare Information Management Executives (CHIME) has told Congress that HIPAA compliance isn’t enough to stop data breaches and that HIPAA compliance can result in healthcare cybersecurity defenses being reduced in some cases.

President and CEO of CHIME, Russell P. Branzell, and CHCIO Chair of the CHIME Board of Trustees, Shafiq Rab, recently replied to a request from Congress on how to deal with increasing healthcare costs. In a March 1, 2019 letter, the CHIME leaders mentioned that using technology in healthcare can lower costs and, if utilized properly, can increase efficiency and output.

Major advances in healthcare technology have been made possible through policy, but excessively stringent prescriptive requirements have added to healthcare costs, hampered innovation and have placed increasing burdens on physicians.

Technology and data sharing are important for enhancing the quality of care that is provided to patients; however, both create new risks to the privacy of healthcare information. Although there are policies are to encourage the application of technology and enhance interoperability, it is vital to implement cybersecurity solutions and policies to protect patient data. All policy recommendations should come with security requirements.

CHIME mentioned that increasing interoperability also increases threats to data integrity. If there is no adequate security measure established, the safe and protected transmission of sensitive information will remain a challenge and will impede efforts to provide quality care.

Healthcare organizations that adhere to HIPAA Rules will at the same time satisfy the minimum requirements set by the HHS for healthcare data privacy and security. But that doesn’t mean being fully protected from cyberattacks. HIPAA is complicated and compliance calls for a substantial volume of resources. That could mean resources are taken away from improving ecurityand protecting against serious threats.

Healthcare companies are investing resources to meet the requirements imposed by the HHS and its Office for Civil Rights (OCR), even if the requirements for HIPAA compliance may not resolve the most severe threats. Hence, the capacity to protect patient information may be diminished instead of increased by HIPAA compliance.

CHIME additionally stated that the enforcement of HIPAA compliance is overly punitive. OCR seems to be more centered on punishment instead of helping healthcare companies recuperate and learn from a breach and to share information about cyberattacks with other healthcare organizations so they too can learn to better protect data. CHIME recommends the introduction of safe harbors for companies that show themselves to have implemented cybersecurity frameworks and have adopted cybersecurity best practices. That may necessitate changes to the HITECH Act, as well as a modification to the language utilized for defining a breach so that it doesn’t presume guilt.

CHIME also suggested that healthcare companies shouldn’t have the burden of protecting PHI in areas beyond their control and the responsibility for security must be divided more equally between HIPAA-covered entities and their business associates. CHIME also requested the HHS provide better guidance for healthcare companies to help them deal more effectively with threats that are within their control.