HITECH Act Amendment Incentivizes Adoption of NIST and Other Recognized Cybersecurity Safeguards as a Defense or Mitigation to HIPAA Enforcement

Epstein Becker & Green
Contact

Epstein Becker & Green

On January 5, 2020, HR 7898, became law amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, to require that “recognized cybersecurity practices” be considered by the Secretary of Health and Human Services (HHS) in determining any Health Insurance Portability and Accountability Act (HIPAA) fines, audit results or mitigation remedies. The new law provides a strong incentive to covered entities and business associates to adopt “recognized cybersecurity practices” and risk reduction frameworks when complying with the HIPAA privacy and security standards to reduce risk associated with security threats and HHS enforcement determinations. Specifically, the earlier adoption of an established, formalized and recognized cybersecurity framework, may significantly insulate entities from regulatory enforcement in the wake of subsequent security incidents or data breaches.

The amendment mandates that when making determinations relating to fines, decreasing the length and extent of audits, or agreeing to mitigation remedies, the Secretary shall consider whether an entity “has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may”:

(1) mitigate the imposition of fines under section 13410 of the HITECH Act;

(2) result in the early, favorable termination of an audit under 13411 of the HITECH Act; or

(3) mitigate remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security Rule between the covered entity or business associate and HHS.

The term “recognized security practices” means “the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.” Consistent with the HIPAA Security Rule, this broad definition affords covered entities and business associates flexibility to implement reasonable and appropriate “recognized security practices” consistent with the size, scope and complexity of their organizations. Recommended starting points to identify recognized security practices would be to leverage NIST Special Publication 800-66 rev.1 and Health Industry Cybersecurity Practices (Managing Threats and Protecting Patients).

In light of the protective impacts of this new law, organizations that have not yet adopted “recognized security practices,” should consider doing so now. A strong first step to selecting reasonable and appropriate security practices involves conducting risk-based assessments of likely security threats, threat actors and vulnerabilities. Based on the findings of such an assessment, organizations can then identify possible countervailing recognized security practices that can decrease the risk of a security incident or data breach occurring in the first instance, and reduce risk of follow-on regulatory enforcement. Under the new HITECH Act amendment, adoption of recognized security practices may beneficially impact determinations of the level of fines and other enforcement measures in the event of a later data breach or other violation. EBG works closely, under attorney-client privilege, with organizations to conduct risk assessments and to identify recognized security practices that may bolster practical security and improve compliance defensibility.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Epstein Becker & Green | Attorney Advertising

Written by:

Epstein Becker & Green
Contact
more
less

Epstein Becker & Green on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.