With consumer data privacy in focus, making the case for NIST over HIPAA

As states continue to enact their own privacy laws and Congress forges ahead with discussions of a federal privacy law, healthcare entities must prioritize coordination between privacy and security offices and look to the National Institute of Standards and Technology (NIST) rather than The Health Insurance Portability and Accountability Act (HIPAA) requirements to strengthen their cyber posture and ensure compliance.

As Andrew Mahler, vice president of privacy and compliance for CynergisTek, sees it, the existing challenges with HIPAA compliance and current state regulations will only compound further as regulating bodies continue to strengthen existing consumer data privacy laws.

Despite known shortcomings, HIPAA is the current standard all healthcare entities must meet to ensure compliance. But past audits of the sector consistently find that many entities and business associates struggle to comply with HIPAA, despite it only having 42 required controls.

Related story: HIPAA update expected to raise new tech compliance questions

Healthcare stakeholders have long made the case for updating the regulation, or at the very least requiring the use of the National Institute of Security and Technology (NIST) Cybersecurity Framework instead to reflect modern digital innovation across the sector.

In 2021, the long-awaited HIPAA Safe Harbor bill was enacted and amended the HITECH Act to require the Department of Health and Human Services to incentivize best practice cybersecurity for meeting HIPAA requirements.

The adoption of NIST is voluntary, but the bill supports entities that demonstrate compliance with industry standards.

As it stands, progress on privacy regulation is slow-going at the federal level, and it will take time for greater movement. Congress has again taken up the possibility of a federal privacy law with its proposed bill to create a commission to assess just how that would play out.

In the meantime, states have continued to add to the patchwork of privacy regulations, standing up their own privacy rules and laws, as well as frameworks that go well beyond what HIPAA has presented, explained Mahler.

Reviewing state privacy healthcare regulation

The regulatory privacy movement across states should increase the urgency for privacy, compliance, and legal security officers to determine overlying potential for compliance risks, given the differences in privacy and security requirements between the state laws and HIPAA.

These leaders must step back and look more holistically at the data they’re collecting, maintaining and transmitting to assess risks that might go beyond HIPAA and even beyond regulatory requirements, which may also stem into ethical questions and issues.

For example, providers may be a covered entity under HIPAA and use its security rule as a framework. But with some state privacy laws, Mahler noted it’s also important for these leaders to assess whether other “aspects of the organization’s work and mission may be subject to these other rules and laws.”

“What’s helpful about something like a voluntary privacy framework is that you can be aligned with the regulatory requirements and specific laws governing data, then align the framework with HIPAA or [other regulations], and it will help you start to take a more holistic view of the risks around your data,” said Mahler.

“That’s not to say you may not need to take a bit of a deeper dive on some elements,” he continued. It may also behoove entities to take a harder look at certain components of the framework, as more health data “goes beyond electronic patient health information and beyond a more traditional context.”

The more recent conversations and laws at a state level have occurred in Colorado, Virginia and Ohio. For Mahler, NIST has a track record of being a standard that’s beyond best practice and something that could just become the industry standard.

It’s likely the direction healthcare is headed, but other industries will likely be the first to see other industries require NIST adoption. For now, providers have an abundance of free resources to support the shift into better security measures and compliance.

As the impacts of the pandemic continue to play out, entities must take action to address these issues given the effect on patient care, changing missions, and the adoption of digital tech. While HHS focused more on HIPAA right of access violations during the pandemic, the Office for Civil Rights recently stated it will expand its concentration on all HIPAA violations.

“There’s been this relaxed enforcement posture. I think there may be a rude awakening, as we get out of the pandemic, and regulators begin to shift their focus back on making sure organizations have good, proper privacy standards in place,” said Mahler. “It’s coming down the road at some point.”

“It’s better to be thinking about that proactively, as organizations may have some breathing room, after this most recent variant surge, to start thinking about how they want to be protecting the data, as well as the standard they want to hold their organization to,” he added.

Coordination needed to ensure healthcare compliance

Properly assessing security incidents and coordinating the response across the enterprise is a major issue in healthcare, explained Mahler. The privacy office is usually on point for determining whether an incident is a breach when reporting and sending notification.

However, “many times — particularly with security incidents — the origination of that incident may happen without the privacy office even knowing about it,” said Mahler. “The reportable breach could come through a phishing attack or other technical reasons.”

The pandemic has placed a tremendous amount of stress on organizations, even on security offices due to the onslaught of “ransomware and the very real threat their systems will go down.” Despite best efforts, it’s challenging to manage a constantly evolving situation.

These struggles could reflect an increasing number of breach notices that fail to adhere to HIPAA requirements, such as reporting incidents impacting more than 500 patients within 60 days of discovering a breach.

“These breaches that are possibly not reported on time and other issues that could lead to noncompliance could be happening simply because of lack of focus,” said Mahler. But perhaps the reason could be better simplified as “some of these organizations have not had the time to sit down and coordinate and collaborate.”

“That’s not a good thing, but it’s just the reality right now,” he added. However, a number of provider organizations struggled with these issues before the pandemic.

In those cases, at a minimum, these organizations need to be doing a post mortem to think about what went wrong with their processes. Mahler noted that leaning on NIST and bolstering coordination will be key to ensuring that when an incident is uncovered, the entire organization is working together to make the assessment and properly notify individuals.

Healthcare is siloed in nature, even within its own organization. NIST can support breaking down communication gaps, as it includes a range of frameworks that bring together all the privacy and security controls, he explained.

“Security and privacy offices tend to have different skill sets or speak different languages, particularly around technology or legal risks,” said Mahler. “As we start thinking more holistically about data, we think about privacy and security being shared risks. The privacy framework is another way to bridge these conversations.”

It’s likely there are privacy officers who might feel intimidated looking at the privacy framework, because it’s just not as familiar to them, Mahler added. But it should be viewed as “an opportunity to lean on their security office and have a discussion about frameworks,” in tandem.

Whether they use the NIST privacy framework, adapt it, or use something else, “it really offers an opportunity for these offices to talk together, share their experiences, share their knowledge, and think about risk in a way that ideally helps manage risk across the organization in a much more effective way.”

“Sometimes it’s its lack of coordination and collaboration, others it’s just people talking different languages,” he continued. People need to find a way to talk to each other because otherwise, you’ll have these kinds of issues with breaches reported untimely, or maybe not even assessed.