HITECH Act Amended to Give Businesses Brownie Points for Certain HIPAA Security Programs

Holland & Knight LLP

Holland & Knight LLP

On Jan. 5, 2021, the President signed into law H.R. 7898, which provides even more incentive for Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates to develop robust security compliance programs.

The new law amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the U.S. Department of Health and Human Services (HHS), when contemplating penalties for HIPAA-covered entities and business associates, to take certain security practices into account. Specifically, the HHS Secretary is required to consider whether the covered entity or business associate is able to adequately demonstrate that it had "recognized security practices" in place for at least the prior 12 months. If it does, it "may" result in early, favorable termination of audits, or mitigate other fines and penalties.

The law defines "recognized security practices" as "the standards, guidelines, best practices, methodologies, procedures, and processes" developed under:

  • section 2(c)15 of the National Institute of Standards and Technology Act
  • the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015
  • other processes and programs developed under other statutory authorities that address cybersecurity

The law goes on to note that "[s]uch practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title)." Nothing in the new provision gives HHS authority to increase fines under section 1176 of the Social Security Act or the length, extent or number of audits under section 13411. Interestingly, the new provisions also state that nothing in this particularly law subjects a covered entity or business associate to liability for "electing not to engage in the recognized security practices defined by this section." Conversely, nothing in the law limits the HHS Secretary's authority to enforce HIPAA or a business associate or covered entity's obligation to comply with the HIPAA Security Rule.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Holland & Knight LLP | Attorney Advertising

Written by:

Holland & Knight LLP

Holland & Knight LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.