New Year Likely To Bring New Incentive For Cybersecurity Investment

Fox Rothschild LLP

Fox Rothschild LLP

H.R. 7898, sent to the President for signature on December 24, 2020 may be the HIPAA holiday gift covered entities and business associates have been waiting for.  The bill requires the Secretary of the Department of Health and Human Services, when considering penalties, audits and other actions related to HIPAA breaches and security incidents, to take into consideration whether the covered entity or business associate has had “recognized security practices” in place for at least 12 months.

“Recognized security practices” broadly include:

“[S]tandards, guidelines, best practices, methodologies, procedures and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity that are developed, recognized, or promulgated through regulations under other statutory authorities.

It is up to the covered entity or business associate to decide which recognized security practices to implement, consistent with the HIPAA Security Rule.

Almost exactly two years ago, HHS announced the publication of “Health Industry Cybersecurity Practices” developed as per the mandate under section 405(d) of the Cybersecurity Act of 2015.  The HICP are practical, cost-effective guidelines to reduce cybersecurity risks.  They include two separate sections: one designed for small health care organizations, and one designed for medium and large organizations.  Though published as “voluntary” practices, entities hoping to avoid HIPAA penalties will have a new reason to voluntarily adopt them if and when H.R. 7898 takes effect.

Since entities must have had HICP or another recognized cybersecurity practice in place for at least 12 months in order to fall within the protections of H.R. 7879, the sooner such practices are implemented, the better.  Every covered entity and business associate should resolve to start 2021 with a renewed commitment to implementing and/or reviewing and updating their cybersecurity practices.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.