HELP Committee Chair Introduces Health Information Privacy Reform Act to Protect Americans’ Health Data

Posted by Steve Alder

New legislation – the Health Information Privacy Reform Act – has been introduced to improve privacy protections for health information that is not currently covered by the Health Insurance Portability and Accountability Act (HIPAA).

Under HIPAA, there are strict limits on uses and disclosures of personally identifiable health information, and safeguards must be implemented to prevent unauthorized access to physical and electronic protected health information.  The problem for consumers is that the scope of HIPAA is quite narrow. HIPAA only applies to health information that is created, collected, maintained, stored, or transmitted by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or a business associate of a HIPAA-covered entity.

Health apps, such as ovulation and fertility tracking apps, can collect large amounts of personally identifiable health information. While the health data would be classed as protected health information (PHI) and be subject to HIPAA protections if it were collected by a healthcare provider, the health information collected by health apps, smartwatches, and other wearable devices is rarely protected by HIPAA or the HITECH Act of 2009, which applies to certified health information technologies.

When HIPAA was enacted more than two decades ago, health information was generally only collected and stored by healthcare providers, health plans, healthcare clearinghouses, and vendors of those entities; however, today, technologies that collect health data are widely used outside of a hospital or doctor’s office.

While there are federal laws that apply to non-HIPAA-protected health data, such as Section 5 of the FTC Act and the FTC’s Health Breach Notification Rule, they are not as stringent as HIPAA. Some states, such as California, have introduced legislation to improve privacy protections for non-HIPAA health data, but state laws are patchy. Privacy protections can differ considerably from state to state.

U.S. Senator Bill Cassidy, M.D. (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, is looking to change that with the Health Information Privacy Reform Act. The Health Information Privacy Reform Act seeks to expand health privacy protections to account for new technologies such as health apps, smartwatches, and other wearable devices.

“Smartwatches and health apps change the way people manage their health. They’re helpful tools, but present new privacy concerns that didn’t exist when it was just a patient and a doctor in an exam room,” said Sen. Cassidy. “Let’s make sure that Americans’ data is secured and only collected and used with their consent.”

The Health Information Privacy Reform Act will apply to health technologies not covered by HIPAA or the HITECH Act and seeks to expand protections to include non-HIPAA-regulated entities, such as healthcare providers that only accept out-of-pocket payments.

The bill requires the Secretary of the Department of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), to promulgate privacy, security, and breach notification standards to cover all health information not covered by HIPAA or the HITECH Act. Those standards must “provide protections that are at least commensurate with, and wherever feasible and appropriate harmonize with, the protections provided through the privacy, security, and breach notification rules promulgated under [HIPAA and the HITECH Act].”

Covered entities will be required to disclose to consumers how their private health information will be used and disclosed. The bill requires the HHS to formulate permitted uses and disclosures for when individual authorization is not required, set authorization requirements, and establish a set of prohibited uses and disclosures.

As with HIPAA, there will be minimum necessary requirements to ensure that uses and disclosures are limited to the minimum necessary information to achieve the purpose for which health information is used or disclosed. The bill will give individuals rights over their health information, such as the right to receive a privacy notice, access their health data, request an amendment/deletion of data, and requires covered health information to be portable.

Physical, technical, and administrative safeguards must be implemented, including safeguards for electronic health information based on established national frameworks such as the NIST Cybersecurity Framework or the HHS health sector cybersecurity performance goals. In the event of a breach of covered health information, notifications are required, in line with those of the HIPAA Breach Notification Rule.

Within one year of the bill being passed, the Secretary of the HHS is required to establish unified national standards for rendering health information de-identified, similar to the de-identification requirements of HIPAA, and publish guidance on the application of the minimum necessary standard to data used for artificial intelligence and other machine learning applications.

The bill also requires the HHS to contract with the National Academies of Sciences, Engineering, and Medicine to conduct a study to identify the risks and benefits of paying compensation to patients for sharing their personal health data for research purposes.

The Health Information Privacy Reform Act has similar preemptions as HIPAA, inasmuch as states will be permitted to strengthen privacy requirements should they so wish, although that could lead to a complex patchwork of privacy protections.

The HHS, in consultation with the FTC, will be authorized to enforce all provisions of the Health Information Privacy Reform Act, and may impose civil monetary penalties for noncompliance, in line with existing penalty structures.

Similar privacy laws have been proposed in the past to address the lack of privacy protections for non-HIPAA-covered health data, as well as numerous attempts to pass a national data privacy law, all without success. It remains to be seen whether the Health Information Privacy Reform Act can gain sufficient support to get it over the line.

The post HELP Committee Chair Introduces Health Information Privacy Reform Act to Protect Americans’ Health Data appeared first on The HIPAA Journal.

Cybersecurity Should Be Viewed as a Strategic Enabler of the Business

Posted by Steve Alder

The US Healthcare Cyber Resilience Survey from EY and KLAS Research has revealed that more than 7 out of 10 healthcare organizations have experienced significant business disruption due to cyberattacks in the past two years.

The survey was conducted on 100 healthcare executives responsible for cybersecurity decisions within their organization. On average, organizations experienced an average of five different cyber threats in the past year, the most common of which was phishing, experienced by 77% of organizations. The next most commonly encountered threats were third-party breaches (74%), malware (62%), data breaches (47%), and ransomware (45%). Only 3% of respondents reported not experiencing any cyber threats in the past year.

These cyber incidents are having a considerable impact on patient care and business operations. 72% of respondents reported that their organization experienced a moderate to severe financial impact due to cyberattacks in the past two years, 60% reported a moderate to severe operational impact, and 59% reported a moderate to severe clinical impact.

In healthcare, cybersecurity is often viewed as a set of defensive measures to protect against cyber threats and ensure compliance, but cybersecurity should be elevated to an organizational priority. Cyberattacks have a significant impact on patient care and business operations, damaging the organization’s reputation and affecting its bottom line. Healthcare organizations that make cybersecurity an organizational priority find that it creates value and helps them deliver better outcomes.

Cybersecurity investment should be aligned with outcomes such as reduced downtime, improved patient safety, and financial stability, and the survey suggests that CISOs are getting better at communicating this to the C-suite. When the cost of cybersecurity investment is compared to the cost of an outage on patient care and revenue, funds are often provided. The survey suggests that the main challenge is not getting the company to invest in cybersecurity, but to sustain the financial commitment over time, especially when budgets tighten or priorities shift. It can be especially hard to maintain that commitment when, after investing in cybersecurity, the organization continues to experience moderate to severe cyber events.

“Cyber needs to be a shared responsibility across the organization and the health ecosystem,” explained EY and KLAS in the report. “In a time of tight budgets, cutting cyber investments can leave health organizations more vulnerable and ultimately lead to higher costs. Health executives must pivot from viewing cyber as a cost center to a strategic enabler of the business.”

The problem faced by many organizations is competing organizational priorities and tight budgets, which were cited as a problem by two-thirds of respondents. Other challenges affecting healthcare organizations include a rapidly changing threat landscape, AI-driven threats, third-party risk management, and the difficulty of recruiting and retaining cybersecurity talent.

One of the main takeaways from the report is the importance of viewing cybersecurity as more than a set of technical and administrative safeguards to achieve compliance. Cybersecurity needs to be viewed as a value creator that is as critical to the success of other business needs, be that improved patient outcomes, geographical expansion, or smart care models. “When cyber is integrated into care delivery and operational and business strategy, it becomes more than compliance. It serves as a catalyst for trust, transformation, long-term resilience, and care delivery that is future-proof,” suggest EY and KLAS.

The post Cybersecurity Should Be Viewed as a Strategic Enabler of the Business appeared first on The HIPAA Journal.