Newly proposed cybersecurity rule could cripple private radiology practices, RBMA says

A proposed cybersecurity rule from Health and Human Services could hamstring private imaging practices, the Radiology Business Management Association charged in recently submitted comments. 

The HHS Office for Civil Rights issued the proposal on Dec. 27, marking the first major update to the HIPAA Security Rule in over a decade. Authorities want to strengthen standards amid increasing cybersecurity concerns. This would include requiring written documentation of all security policies and multifactor authentication (with limited exceptions). 

Radiology business advocates noted that practices already must comply with numerous cybersecurity regulations. The new HIPAA Security Rule requirements will be “particularly burdensome for all physicians, but especially for those in private practice radiology.” 

“RBMA is committed to protecting our patients’ private health information,” association leaders wrote in comments submitted to HHS on Feb. 28. “We support reasonable measures to ensure this protection. However, many of the additional requirements outlined in the proposed rule could be cost prohibitive without generating a commensurate level of additional protection for individual patients, their providers or business associates.”

Private radiology practices already operate on “very limited budgets,” RBMA President Pete Moffatt and colleagues noted, and the expense associated with implementing the new rule’s requirements will be “substantial.” In the first year of implementation, regulated entities would incur roughly $4.6 billion in costs, while plan sponsors would spend another $4.6 billion, according to HHS estimates. 

New requirements would include conducting a security audit, verifying that business associates are compliant with technical safeguards, and conducting annual “penetration” tests. This while interventional radiology has experienced a 37% decrease in reimbursement since 2007 and DR a 38% downturn, according to estimates from the Outpatient Endovascular and Interventional Society. 

“Additional regulations like the items listed above will likely lead to further consolidation in the healthcare industry, which, as we know, drives up the cost of healthcare,” Moffatt and colleagues wrote. “Small, independent radiology groups simply cannot afford to implement such measures.”

RBMA offered a list of possible tweaks, noting that a “one size fits all” approach will “significantly penalize smaller radiology practices.” It wants measures that are proportionate to each regulated entity’s size, and the association is against requiring the tracking, recording and reporting of unsuccessful breaches, believing this is “overly burdensome and costly.” Plus, RBMA is pushing for “phased implementation” of the requirements over time, as new business agreements expire.

“We believe these adjustments will help mitigate the financial impact on radiology groups and ensure that patient care remains uncompromised while still ensuring the ongoing security of [electronic protected health information] for all our patients,” the letter concludes. 

Over the past five years, the Office for Civil Rights has seen a 102% increase in reports of large data breaches of 500 or more records, the HIPAA Journal noted. The number of individuals impacted has increased by 1,002%, driven by a sizable upswing in hacking incidents and ransomware attacks. 

HHS is accepting comments on the proposed rule until Friday, March 7, and has received over 4,300 submissions. You can read comments and the full 393-page rule here.