For most healthcare C-Suite execs, HIPAA represents the most important regulatory risk related to data security and privacy. While HIPAA will continue to figure importantly in ongoing risk monitoring, a new generation of healthcare regulation is about to spawn additional threats that deserve a place alongside HIPAA on executives’ risk assessment dashboard.
Far-reaching data sharing mandates driving today’s healthcare transformation trends, including value-based contracting, patient centered care, and digital automation – are squarely in the cross-hairs of new regulatory initiatives. These mandates have the potential to unleash unprecedented volumes of electronic health information (EHI) which will need to be sourced, transported, delivered, and archived according to strict guidelines – of which HIPAA privacy and security rules are mere table stakes.
According to an October 2019 survey conducted by Accenture, a majority of provider and payer executives are not aware of key mandates, nor are they prepared to comply with them. In view of the new healthcare regulations, the C-suite that has only HIPAA privacy and security risk on its radar is most likely underestimating its true exposure.
The new generation of rules which was born of the 2011 Medicare and Medicaid EHR Incentive Program and are currently evolving under the 21stCentury Cures Act, are considerably more complex than those launched under HIPAA in 1996. While data security and privacy remain foundational, the expanded scope of these rules carries mandates for mobilizing siloed data and delivering it, in high volumes and at high velocity, across disparate systems to a variety of recipients across the care continuum, including the full spectrum of providers, as well as patients and caregivers.
Of the many rules that are likely to have impact as data is shared more widely, there are 4 that deserve elevated visibility on executives’ threat and vulnerability dashboards today:
1. 21st Century Cures Act – Significant penalties of up to $1 million per violation are authorized, under these (pending) rules:
a. The Interoperability and Patient Access Proposed Rule (CMS)
b. “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program
2. OCR “Right of Access Initiative” – Up to $100,000 per infraction/violation (avg)
3. Updated HIPAA Breach-Violation Enforcement – $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation
4. GDPR / The California Consumer Privacy Act (CCPA) – January 1, 2020 – Converging European and US standards
a. fines of up to 10 million Euros applicable to PHI exchanged with patients residing in the EU
i. $7,500 per violation
ii. Individual right to bring lawsuits for breach of “non-encrypted or non-redacted personal information”
1. $100-$750 per incident or more with damages exceeding $750
Awareness of the above rules is an essential first step toward assessing risk exposure and designing a relevant management strategy. To succeed in this endeavor, it’s critical to understand that:
- the new risks are multi-faceted, driven by policies with data sharing objectives beyond the traditional scope of HIPAA
- while cybersecurity-focused strategies were sufficient to mitigate risk in the past, today’s risk landscape requires added expertise in interoperability and methods of embedding security, privacy, and interoperability in complex clinical workflows that can deliver data at high velocity and to multiple recipients, including physicians, patients, and other caregivers.
Concurrent with the obvious risks surrounding regulations, there are also opportunities. A follow-up installment of this blog will explore revenue opportunities triggered by healthcare regulations and how an optimal plan for responding to regulatory change should consider solutions that both mitigate risk and maximize opportunities.
For a consultation or additional information, please contact:
Hugh Gilenson, Director, Healthcare firstname.lastname@example.org