Cybersecurity and “Recognized Security Practices”: New Statute modifies HIPAA

Polsinelli
Contact

Polsinelli

On January 5, 2020, President Trump signed into law H.R. 7898. This new statute amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Department of Health and Human Services (HHS) to consider efforts by HIPAA covered entities and business associates to implement “recognized security practices” when assessing fines or penalties under the HIPAA Security Rule. 

The statute provides that if a HIPAA covered entity or business associate can demonstrate compliance for the previous twelve months with “recognized security practices,” then that entity may benefit in the following scenarios: 

1. mitigation of fines related to a HHS investigation resulting from a security incident;

2. an early and/or favorable termination of an audit brought under section 13411 [of HITECH]; and

3. mitigation of remedies agreed to in any agreement with respect to resolving potential violations of HIPAA Security Rule.

The statute makes clear that these changes do not give HHS authority to increase fines or the length of an audit when a HIPAA covered entity or business associate is found to be lacking compliance with the recognized security standards. 

We expect the HHS to undertake an APA-proscribed rulemaking, either through a request for information (RFI) or notice of proposed rulemaking (NPRM) with regard to the potential HIPAA requirements that will likely include reference to examples of industry-recognized certification programs, as well as to NIST special publications, as discussed further below. Given the jurisdictional issues, it is most likely that HHS Office for Civil Rights (OCR) will be responsible for such a rulemaking effort. 

In other words, it is likely that OCR will be charged with rulemaking efforts related to implementation of this statute, and would request comments regarding “recognized security practices” included in the statute’s definition of same, as follows:

1. “The standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act.”  

Generally, NIST special publications are considered best practices for all industries related to data security. They are extremely thorough and detailed, and are updated by NIST regularly. Given that OCR regularly includes references to NIST special publication in its guidance documents regarding HIPAA, it is very likely OCR will do the same in any rulemaking related to implementation of this statute.

2. “The approaches promulgated under section 405(d) of the Cybersecurity Act of 2015.”  

The Cybersecurity Act of 2015 (CSA) includes Section 405(d), “Aligning Health Care Industry Security Approaches.” In 2017, HHS convened the CSA 405(d) Task Group, through HHS’s existing Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. The Task Group includes over 100 different types of health care industry representatives, and met six times from May 2017 through March 2018 to develop the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication. Despite the lack of current information from the task force, OCR will likely include reference to any guidance developed as part of this effort in the rulemaking related to this statute, not only because the statute’s language dictates such, but also because of these previous efforts of HHS to implement the Cybersecurity Act of 2015.

3. “Other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”  

The inclusion of this particular language by Congress in the statute appears to recognize the efforts of, and industry recognition of, private-sector compliance and certification groups working to improve data security practices related to cybersecurity in the United States, particularly in conjunction with efforts pursuant to other laws, such as Cybersecurity Maturity Model Certification (CMMC). This may be an area where clients should consider providing comments to any rulemaking related to this statute.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Polsinelli | Attorney Advertising

Written by:

Polsinelli
Contact
more
less

Polsinelli on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.