On January 5th, 2021, President Donald Trump signed H.R. 7898 into law. The statute amends the Health Information Technology for Economic and Clinical Health Act (HITECH). The amendment, specifically, addresses fines and penalties levied by the Department of Health and Human Services (HHS). Now, before assessing penalties under the HIPAA Security Rule, the HHS must consider the organization’s implementation of “recognized security practices.” The Security Rule establishes safeguards to protect electronic personal health information created, received, used, or maintained by a covered entity.
Definition of “Recognized Security Practices”
The new law defines “recognized security practices” as the following:
- the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act;
- certain approaches promulgated under section 405(d) of the Cybersecurity Act of 2015; and
- other programs/processes that address cybersecurity. (Additional statutory authorities developed, recognized, or promulgated through regulations these other programs or processes.)
Accordingly, the HHS will likely specify, at a later date, what security practices meet these standards and qualify for consideration.
The statute states that if a covered entity can demonstrate compliance with “recognized security practices” it may receive:
- a mitigation of fines or penalties related to an HHS investigation resulting from a security incident;
- an early and/or favorable termination of an audit brought under section 13411 of HITECH; and
- the mitigation of remedies agreed to in any agreement with respect to resolving potential violations of HIPAA Security Rule.
Compliance is only reached, however, if the security practices were in place for twelve months prior to the violation.
In conclusion, all HIPAA-covered entities should adopt “recognized security practices” if they have not already. Employers should also clearly document those practices to show their compliance in trying to prevent data breaches. As mentioned earlier, those “recognized security practices” may beneficially impact fine determination in the event of a data breach.