Readers Write: HIPAA Security Rule Update: Why Should Every Practice and Hospital Have to Build Their Own Defenses?

HIPAA Security Rule Update: Why Should Every Practice and Hospital Have to Build Their Own Defenses?
By Joseph Schneider, MD, MBA

Joseph Schneider, MD, MBA is with the University of Texas Southwestern.

I read Jason Ward’s excellent Readers Write and agree that it’s important to have clear best practices for security and that the Security Rule needs an update. However, I strongly disagree that a “one size fits all” approach like the proposed HIPAA Security Rule update is the right approach. The impact on smaller physician practices is tremendous and is not commensurate with the “probability and criticality of potential risks to ePHI” as required by the wording of the original HIPAA legislation.

Here are some comments on the proposed rule that are being sent to HHS:

• HHS states (on page 1004 of the Federal Register) “if the proposed changes in the NPRM reduce the number of affected individuals by 7 to 16 percent, the rule would pay for itself. Alternatively, the same cost savings may be achieved by lowering the cost per affected individual’s ePHI by 7 percent ($35) and 16 percent ($82), respectively.” Logically, the changes should reduce breaches or reduce costs, but there’s no evidence cited (that I could find) that supports this level of improvement. How much will this impact things? We don’t know, and it’s going to cost a huge amount to find out. First-year costs are ~$9 billion, with years 2-5 costing $6 billion annually. The present value of the costs, if I’m reading it correctly, is $32 billion, which coincidentally was just a little less than the original estimated cost of the Meaningful Use program. 
• On page 1007, HHS estimates that “the cost for a one-establishment [location] firm is $1,235 …” That’s absolute nonsense. The cost of doing all these things could be WAY more than $1,235 per practice. The averaging methodology used to come up with this number is flawed. A detailed cost analysis by requirement should be done and published for review. 
• HHS goes on to say, “In the context of the RFA, HHS generally considers an economic impact exceeding 3 percent of annual revenue to be significant…” Three percent of revenue spent on this activity alone is enough to put some small practices and possibly some rural hospitals out of business. No practice has 3% of revenues just sitting around. 
• Finally, HHS says that “In the context of the RFA, HHS generally considers an economic impact exceeding … 5 percent or more of the affected small entities within an identified industry to represent a substantial number.” This is ridiculous and arbitrary. In essence, HHS is saying that it’s OK for up to 4.99% of small practices to be bankrupted or badly damaged. Additionally, it’s easy to say that practices can go out of business, and it’s not significant, but it ignores the impact on the community when the only practice in town or for miles may close. 

Two additional global thoughts:

This is a gross over-expansion of the original HIPAA legislation wording. As noted on the HHS website: “The Security Rule does not dictate the specific security measures that a regulated entity must use. Instead, it requires the regulated entity to consider the following factors when selecting security measures that meet the Security Rule’s requirements: 1) its size, complexity, and capabilities; 2) its technical infrastructure, hardware, and software security capabilities; 3) the costs of security measures; 4) the probability and criticality of potential risks to ePHI.” By defining specific measures that MUST be taken, HHS is going far beyond what the law says. If the proposed changes are put into place, I expect that they will be challenged based on the Lopez Bright Enterprise v. Raimondo decision that overturned the Chevron doctrine.

Most importantly, the approach that we’re taking regarding security protection requires each organization to do everything. That stems from our culture of individualism. A better alternative would be if we had national approaches to at least some elements of this national problem. 

Here are two examples. Instead of every hospital and practice having to develop its own training, why not have a single national training and re-education program that clinicians and staff need to complete just once? And instead of having every small practice / rural hospital bear the costs of developing their own security plans and pay for audits, why not have the equivalent of the Agricultural Extension Offices provide these? It would cost less than having everyone do everything. Security is a national priority and we need to start thinking about national solutions, just as we do with national defense.  

I’m not suggesting that we keep the status quo of security, but we have to have different thinking about how to approach this so that we don’t damage or destroy small practices and rural hospitals. And while I don’t agree with a lot that’s going on in Washington right now, if this proposed rule died in the transition, I wouldn’t be crying too hard.