Lee Barrett, Executive Director and CEO, EHNAC
Twitter: @LeeBarrettEHNAC
Twitter: @EHNAC
Lee Barrett outlines ruling; discusses benefits for companies employing recognized security practices
On January 5 of this year, H.R. 7898 (Public Law 116-321), also known as the HIPAA Safe Harbor Law, was enacted. Under this legislation, covered entities (CEs) and business associates (BAs) that deal with protected health information (PHI) and maintain accredited security standards for more than 1 year could face lesser fines, penalties and audit scrutiny by the Office for Civil Rights (OCR) in the event of a cyberattack or data breach. With uncertainty surrounding the exact requirements that will be mandated by the U.S. Department for Health and Human Services (HHS), Lee Barrett, CEO and Executive Director of the Electronic Healthcare Network Accreditation Commission (EHNAC), tackled several questions to better help the industry understand the benefits for employing recognized security practices.
Q: How does the law affect my organization?
Barrett: The law amends the HITECH Act to require HHS to consider “recognized security practices” when considering fines or penalties under the HIPAA Security Rule for CEs and BAs. Fines from OCR can top $1 million, in addition to audit and mitigation costs and loss of business due to adverse publicity.
Obtaining a security accreditation or certification would count as a recognized security practice while providing a high level of assurance for employees, patients, associates and others that data flowing through a company’s servers and being exchanged with others is being protected.
Q: What are ‘recognized security practices’?
Barrett: According to the law, “the term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title).”
Q: Why is it important?
Barrett: Cybersecurity remains a critical issue for healthcare providers, payers, clearinghouses, healthcare software vendors, and other covered entities and business associates. According to the OCR Breach Portal, healthcare server breaches were up 23% the first 10 months of 2020 compared to the same period of 2019. Providers accounted for 79% of all healthcare breaches, showing the value of patient information on the black market.
Between January and October 2020, healthcare network server breaches increased 23% over the same 10-month span in 2019. According to Healthcare Innovation, ransomware attacks cost healthcare organizations $21B in 2020. The average cost to mitigate a healthcare data breach tops $7 million, the highest ranked industry and nearly double the global average to mitigate a breach in other industries.
Q: What should be considered when choosing an accreditation organization?
Barrett: Not all accreditation organizations are created equal. To maximize benefits, organizations should look at selecting an accreditation from an organization that is solely focused on healthcare and specifically designed to safeguard PHI. Each type of healthcare stakeholder has unique needs, and when selecting a program, it should serve the range of stakeholder types, from health systems to payers to HIEs. Additionally, accreditation may cost less than most think, and certainly a lot less than costs associated with mitigating a breach and potentially paying penalties or fines, revenue loss or loss of credibility.
About EHNAC
The Electronic Healthcare Network Accreditation Commission (EHNAC) is a voluntary, self-governing standards development organization (SDO) established to develop standard criteria and accredit organizations that electronically exchange healthcare data. These entities include accountable care organizations, data registries, electronic health networks, EPCS vendors, e-prescribing solution providers, financial services firms, health information exchanges, health information service providers, management service organizations, medical billers, outsourced service providers, payers, practice management system vendors, third-party administrators and trusted networks. The Commission is an authorized HITRUST External Assessor, making it the only organization able to provide both EHNAC accreditation as well as to conduct HITRUST CSF assessment services.
EHNAC was founded in 1995 and is a tax-exempt 501(c)(6) nonprofit organization. Guided by peer evaluation, the EHNAC accreditation process promotes quality service, innovation, cooperation and open competition in healthcare.