On January 5, 2020, President Trump signed a bill (HR 7898) that makes changes to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and provides a safe harbor for organizations that have applied accepted security best practices before encountering a data breach.
Although the bill doesn’t go so far as keeping the Department of Health and Human Services’ Office for Civil Rights from enforcing financial penalties for HIPAA compliance concerns that caused a data breach, the amendment calls for OCR to take into account the security actions implemented to minimize cybersecurity risk in the 12 months prior to a data breach.
The primary purpose of the bill is to incentivize healthcare companies to undertake a founded, formalized, and recognized cybersecurity framework and keep industry security guidelines, as to do so will give some insulation versus regulatory enforcement action.
The bill mandates the HHS to take into account an entity’s use of proven security best practices when evaluating reported data breaches and contemplating HIPAA enforcement penalties or other regulatory actions. When an entity has followed the NIST Cybersecurity Framework or HITRUST CSF, as an example, it will be considered when determining penalties related to security breaches. Following security best practices will minimize remedies that would be determined between an entity and the HHS to settle potential violations of the HIPAA Security Regulations.
The bill additionally necessitates the HHS to lessen the magnitude and length of audits if an entity is confirmed to have attained industry-standard security best practices. It says that the HHS is not allowed to impose higher fines for entities that did not conform to established security practices.
Recognized security practices refer to the specifications, guidelines, best practices, methods, procedures, and processes created under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the strategies enforced under section 405(d) of the Cybersecurity Act of 2015, and other programs and procedures that deal with cybersecurity and that are created, recognized, or promulgated through rules under other statutory authorities. Such practices will be known by the covered entity or business associate, in accordance with the HIPAA Security Rule.
The healthcare sector is greatly targeted by attackers and healthcare data breaches are growing to be far more common. Every year, the number of successful cyberattacks on healthcare providers and their business associates rises as with 2020. The healthcare industry had the worst year in terms of data breaches last 2020. Take note that the HHS’ Office for Civil Rights had imposed more HIPAA penalties on HIPAA covered entities and business associates in 2020 than any other year ever since the HHS was mandated to issue financial fines for HIPAA violations.
Healthcare institutions and HIPAA business associates that have not implemented a common cybersecurity program or recognized security practices must do so now. Implementation of recognized security practices will help to minimize the risk of a data breach along with the unfavorable consequences when a data breach does happen.