Bass, Berry & Sims attorney Jeff Gibson was interviewed on a recent Speaking of Health Law podcast released by the American Health Law Association (AHLA) about data privacy and security issues in the healthcare industry.

When asked about key initiatives from the last year that will help strengthen privacy and security compliance, Jeff referenced the enactment of HR 7898, which amends the HI-TECH Act: “HR 7898 essentially provides for some level of benefit for organizations who can demonstrate that they have in place recognized security practices. In particular, 7898 says that the secretary of HHS can consider – is not required to consider – whether a covered entity or business associate has demonstrated for at least the last 12 months it has recognized security practices in place. If the entity is able to do so, then that could possibly result in mitigation of fines or other remedies that might otherwise flow to the organization from an audit or investigation … Here we see HHS putting in place some incentives to hopefully encourage entities to be more proactive with their risk practices.”

A major enforcement development from the past year is the October 2021 announcement from the Department of Justice (DOJ) regarding its new Civil Cyber-Fraud Initiative. As Jeff explained, under this initiative, the DOJ will “pursue False Claims Act liability against government contractors in the cyber security space … Under this initiative, we are likely to see more False Claims Act lawsuits against government contractors filed by the government, or investigations undertaken by the government, if the government believes that government contractors are failing to meet their cyber-security obligations under applicable law or the terms of government contracts.” He added whistleblowers are likely to be aggressive in bringing qui tam lawsuits under the False Claims Act when they believe their employers are not honoring their cyber-security obligations.

As Jeff warns, “It’s critically important for entities to understand the various privacy and breach notification laws that apply to them, what unique requirements each set of laws carries, and to develop security programs and breach response protocols that meet the various requirements … It’s important to stay abreast of where you’re operating and what the requirements are that apply.”

Jeff suggests that to stay compliant, entities should “assess their data security programs, which should be an ongoing exercise… I certainly expect to see a continued emphasis on enforcement as we move forward.”

The full episode, “Data Privacy and Security in 2022: What’s Next on the Compliance Journey?,” was released on November 30 by the AHLA’s Speaking of Health Law podcast and is available at the link or wherever you get your podcast content.