HITECH Act Amendment Offers New Incentive to Reduce Fines and Other Remedies

Linda Perkins, Debra Weinrich
White and Williams LLP
Contact
LinkedIn
Facebook
X
Send
Embed

White and Williams LLP

Just in case your office or company is in the process of compiling a “to-do” list for 2021, here is one item that should have your full attention. On January 5, 2021, an amendment to the HITECH Act (H.R.7898) was signed into law requiring the U.S. Department of Health and Human Services “to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.” While the amendment does not include specific language as to what “consider” may mean in this context, Section 13412(a) makes clear the incentives for covered entities having “certain recognized security practices,” namely:

[T]he Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may— 

(1) mitigate fines under section 1176 of the Social Security Act[];

(2) result in the early, favorable termination of an audit under section 13411; and

(3) mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving violations of the HIPAA Security rule . . . between the covered entity or business associate and the Department of Health and Human Services. 

Section 13412(b) defines the term “recognized security practices” as the “standards, guidelines, best practices, methodologies, procedures, and processes developed” under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the “approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” In addition, “[s]uch practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule[.]”

The amendment expressly states that “[n]othing in this section shall be construed as providing the Secretary authority to increase fines . . . or the length, extent or quantity of audits under section 13411, due to a lack of compliance with the recognized security practices.”  Finally, the amendment provides that “nothing in this section shall be construed to subject a covered entity or business associate to liability for electing not to engage in the recognized security practices defined by this section[.]”

In other words, this new law offers significant incentives for simply being able to demonstrate to some unspecified degree the existence of recognized security practices. The amendment does not require or impose a standard for compliance with those security practices and leaves it to the covered entity or business associate to determine what those “recognized security practices” are for their particular operation.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White and Williams LLP | Attorney Advertising

Written by:

White and Williams LLP
White and Williams LLP
Contact
more
less

White and Williams LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide