Proposed Cybersecurity Regulations May Overwhelm Private Radiology Practices, Warns RBMA
The Radiology Business Management Association (RBMA) has expressed concerns that a newly proposed cybersecurity regulation from the U.S. Department of Health and Human Services (HHS) could impose significant burdens on private radiology practices.
On December 27, the HHS Office for Civil Rights introduced a proposal to update the HIPAA Security Rule for the first time in over a decade. The proposed changes aim to enhance cybersecurity standards, including mandates for written documentation of all security policies and the implementation of multifactor authentication, with limited exceptions.
RBMA officials argue that these new requirements would be "particularly burdensome for all physicians, but especially for those in private practice radiology." In comments submitted to HHS on February 28, the association stated, "RBMA is committed to protecting our patients’ private health information. We support reasonable measures to ensure this protection. However, many of the additional requirements outlined in the proposed rule could be cost prohibitive without generating a commensurate level of additional protection for individual patients, their providers or business associates."
The association highlighted that private radiology practices often operate on "very limited budgets," making the financial impact of the proposed regulations substantial. HHS estimates suggest that, in the first year of implementation, regulated entities would incur approximately $4.6 billion in costs, with plan sponsors facing an additional $4.6 billion.
Among the new requirements are conducting security audits, verifying that business associates comply with technical safeguards, and performing annual "penetration" tests. These mandates come at a time when interventional radiology has experienced a 37% decrease in reimbursement since 2007, and diagnostic radiology has seen a 38% decline, according to the Outpatient Endovascular and Interventional Society.
"Additional regulations like the items listed above will likely lead to further consolidation in the healthcare industry, which, as we know, drives up the cost of healthcare," RBMA President Pete Moffatt and colleagues wrote. "Small, independent radiology groups simply cannot afford to implement such measures."
RBMA has proposed several adjustments to the rule, advocating against a "one size fits all" approach that could disproportionately affect smaller practices. The association recommends tailoring measures to the size of each regulated entity and opposes the requirement to track, record, and report unsuccessful breaches, deeming it "overly burdensome and costly." Additionally, RBMA suggests a "phased implementation" of the requirements over time, aligning with the expiration of new business agreements.
"We believe these adjustments will help mitigate the financial impact on radiology groups and ensure that patient care remains uncompromised while still ensuring the ongoing security of [electronic protected health information] for all our patients," the letter concludes.
Over the past five years, the Office for Civil Rights has observed a 102% increase in reports of large data breaches involving 500 or more records, as noted by the HIPAA Journal. The number of individuals affected has surged by 1,002%, largely due to a significant rise in hacking incidents and ransomware attacks.
HHS is accepting comments on the proposed rule until Friday, March 7, and has received over 4,300 submissions to date.