Legislation passed last week designed to lower healthcare costs has several caveats that could incentivize healthcare providers to base their security programs around strong cybersecurity frameworks.

The legislation, the Lower Health Care Costs Act of 2019, was passed by the Senate HELP Committee, last Wednesday; it now moves to the Senate.

The U.S. Senate's Health, Education, Labor and Pensions, or HELP Committee, is one of several committees working on legislation around healthcare currently. The House, Energy and Commerce, Finance, Ways and Means, and Judiciary Committees also have healthcare legislation on their desks.

Since it was introduced in May, the Lower Health Care Costs Act has included a provision that emphasizes how healthcare facilities implement security and incentivize covered entities under HIPAA to make sure they have strong cybersecurity policies in place.

Assuming the legislation is eventually passed into law, it's possible the provision, “Improving the Exchange of Health Information,” could ease HIPAA enforcement. The legislation would urge the Department of Health and Human Services (HHS) to consider how a provider has implemented cybersecurity policies or practices when conducting an audit or administering fines following a HIPAA violation.

The would also get the HHS' Office for Civil Rights (OCR) to determine when covered entities and business associates have built robust enough cybersecurity programs. Under the provision, if facilities can meet certain thresholds, they may see reduced penalties in the event of a security breach.

While the provision isn’t a ‘get out of jail free’ card by any means, it could mean the OCR might look more favorably on organizations with strong cybersecurity protections.

If passed, the bill would fall in line with recent actions taken by HHS, which in April moved to reduce HIPAA fines by loweing the annual cap for the least severe violation from $1.5 million to $25,000.

Currently OCR can impose a civil monetary penalty under HIPAA if it “if it determines it violated one or more administrative simplification provisions that could not be resolved by informal means."

There are a handful of factors that affect how much OCR can impose, including the nature and extent of the violation, the nature and extent of resulting harm, the entity's history of HIPAA compliance, the financial condition of the covered entity or business associate, and other matters.

Another new provision included in the bill would commission the Government Accountability Office to carry out a study on the privacy and security risks of sharing patient health information electronically, between entities not covered by HIPAA, like healthcare apps used by consumers to keep track of, and store patient data via APIs.

The goal of the study would be "to better understand existing gaps in privacy and security protections for health information as patients move their information to third parties, such as mobile applications, that are not covered by the HIPAA privacy and security rules," according to the bill.

As expected, most of the discussion around the bill's approval last week stemmed from how, if it passed, would benefit consumers on the healthcare cost front. The lengthy 196-page bill, which was passed by a vote of 20-3, also addresses a slew of healthcare issues.

The crux of the bill is designed to alleviate healthcare costs by cracking down on surprise billing, anti-competitive costs in insurance contracts, and better informing patients of the cost and quality of their healthcare, according to the HOPE Committee's Chairman, Lamar Alexander (R-Tenn.)

"I hope we can present [this bill] to Majority Leader McConnell, (R-Ky), and Minority Leader Schumer, (D-NY) for the full Senate to consider [in July] and would expect that other committees will have their own contributions," Alexander said last week.