Public Health Emergency Leads to the Need for Privacy Legislation

By CHHS Extern Nicole Fullem 

Due to the COVID-19 pandemic healthcare systems were forced to move to a more remote environment and required to adopt telehealth services to bring care to patients.  The Department of Health and Human Services (HHS) defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient professional health-related education, public health and health administration.”  At the beginning of the public health emergency, HHS relaxed the Health Insurance Portability and Accountability Act (HIPAA) rules in response to the increase in telehealth services.  HHS’s guidance recognized that some of the technologies may not fully comply with the requirements of HIPAA Rules, however, HHS explained that it would not impose penalties for noncompliance with the regulatory requirements under HIPAA.  These relaxed requirements are for the duration of the national emergency, however, it is likely that telehealth services are likely here to stay.  In December 2020, HHS saw a need to deliver better care and provide patients more access to their protected health information and therefore, proposed modifications to the HIPAA Privacy Rule.  The proposed rule looks to improve information sharing, create greater family involvement in the care of individuals who are experiencing emergencies, and gives greater flexibility for disclosures in emergency or threatening circumstances, such as a public health emergency.  However, there remains concerns surrounding the privacy of health information.

The remote environment and increased use of telehealth services creates privacy concerns for many people.  Although the new Privacy Rule may provide for better access to patient protected health information, some individuals have expressed concerns­—the disclosure of medical records without requiring patient’s authorization may lead to an unintended release of an individual’s sensitive information to a third party.  In addition, patients would be allowed to verbally request their health information, and there are concerns that information may be released to the wrong party or more information is released than a patient would like to a third party.  More broadly, the telehealth services led to a greater increase around email exchanges between physicians and patients and an increase of sharing protected health information between patients, providers, and third-party organizations.  Inevitably, questions remain how to further protect patient privacy while allowing new and evolving technology to help deliver better care.  Importantly though, the public health emergency has demonstrated gaps that exist in privacy legislation, specifically in the area of healthcare and health information.

Medical records remain one of the most valuable types of information, and especially during the public health emergency protected health information has been at a higher risk than it typically is.  In 2020, about 26 million patients records were exposed to unauthorized parties in the United States.  The rise in healthcare cyber-attacks stems from the poor handling of patient records and moving these records to cloud services.  When HIPAA was designed in 1996 it did not account for cybersecurity and more importantly, it has not been modified to keep up with the conditions that lead to modern healthcare cyber-attacks.  HIPAA only applies to direct patient care providers and it does not account for other third-party platforms such as fitness and personal health applications that may also collect personal data.

Conversations regarding previous callings for HIPAA to be modified are coming up again.  There may need to be more changes to HIPAA, so that technology can be used in a way that enhances privacy protection and improves information sharing.  Congress and HHS are urging that now is the time for privacy gaps to be addressed either through federal privacy legislation, or through modification to the HIPAA rule.  As HHS awaits feedback on the new proposed privacy rule, at least 15 states have introduced privacy legislation, and a House Democrat introduced the first comprehensive federal privacy bill of the year—Information Transparency and Personal Data Control Act.  It is likely that states will continue to move forward with privacy legislation, but there continues to be a need for a broad federal standard

CHHS is Hiring!

CHHS is hiring! We are looking for both JDs and those with advanced degrees in other relevant fields. Learn about the positions and apply at the links below (links work best on computers, and not on mobile devices):… (candidates with a JD)… (candidates other advanced degree)

HITECH Act Amendment and What It Means for Incentivizing Cybersecurity Safeguards

By CHHS Extern Emma Barbato

Ransomware attacks on healthcare organizations were up 50% in the third quarter of 2020. Since 2016, ransomware attacks on healthcare organizations has cost the healthcare system around 157 million dollars.  Because  many ransomware attacks count as Health Insurance Portability and Accountability Act (HIPAA) violations, all of this leads to a large potential for fines and risk assessments that can be quite costly for organizations. 2020 saw more penalties imposed on HIPAA covered entities (which include health plans, clearinghouses, and certain health care providers) and business associates by the Health and Human Services (HHS) Office for Civil Rights than any other year since the HHS was given the authority to impose financial penalties for HIPAA violations. As ransomware and data privacy breaches become more common place, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, Hitech amendment HR 7898, adopted in January 2020, attempts to incentive organizations to adopt NIST or other viable Cybersecurity safeguards that might prevent ransomware attacks on healthcare systems.

The HITECH amendment allows for organizations to mitigate fines from HIPPA violations by requiring that “recognized cybersecurity practices” be considered by the Secretary of HHS in determining any HIPAA fines, audit results or mitigation remedies. If an entity has adopted the NIST Cybersecurity Framework or HITRUST CSF for example, it will be taken into consideration when calculating fines related to security breaches. Adoption of security best practices will mitigate remedies that would otherwise be agreed between an entity and the HHS to resolve potential violations of the HIPAA Security Rule

The amendment allows covered entities and related organizations some flexibility when applying “recognized security practices.” The term is broad and refers not only to procedures developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act and 405(d) of the Cybersecurity Act of 2015, but also any other processes that address cybersecurity that are recognized through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.” Because the definition for “recognized security practices is broad it allows for scalability that takes into account the size, scope, and complexity of each organization. For many organizations this makes NIST a great jumping off point for creating a recognized cybersecurity prevention framework.

Based on the protection that the amendment provides, it makes sense for organizations that aren’t already implementing a NIST or other recognized framework to adopt or update their cybersecurity protocols. The HITECH amendment allows organizations to use their cybersecurity practices as a defense against HIPPA fines. While the amendment mainly benefits institutions attempting to mitigate some of the financial ramifications of a data breach, the upside for patients is that better security practices might lead to stopping ransomware attacks before they jeopardize valuable personal health information.