Share this article on:
On January 5, 2020, President Trump added his signature to a bill (HR 7898) that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and creates a safe harbor for companies that have implemented recognized security best practices prior to experiencing a data breach.
While the bill does not go as far as preventing the Department of Health and Human Services’ Office for Civil Rights from imposing financial penalties for HIPAA compliance issues that contributed to a data breach, the amendment requires OCR to take into consideration the security measures that were in place to reduce cybersecurity risk in the 12 months prior to a data breach.
The main aim of the bill is to incentivize healthcare organizations to adopt an established, formalized, and recognized cybersecurity framework and adhere to industry security best practices, as doing so will provide a degree of insulation against regulatory enforcement actions.
The bill requires the HHS to consider an entity’s use of recognized security best practices when investigating reported data breaches and considering HIPAA enforcement penalties or other regulatory actions. If an entity has adopted the NIST Cybersecurity Framework or HITRUST CSF for example, it will be taken into consideration when calculating fines related to security breaches. Adoption of security best practices will mitigate remedies that would otherwise be agreed between an entity and the HHS to resolve potential violations of the HIPAA Security Rule.
The bill also requires the HHS to decrease the extent and length of audits if an entity is determined to have achieved industry-standard security best practices and makes it clear that the HHS is not authorized to increase fines for entities found not to have adhered to recognized security practices.
Recognized security practices are defined as “the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.”
The healthcare industry is extensively targeted by hackers and healthcare data breaches are becoming much more common. Each year, the number of successful cyberattacks on healthcare organizations and their business associates increases and 2020 was no exception. 2020 was the worst ever year for healthcare industry data breaches by far. It is also worth noting that 2020 saw more HIPAA penalties imposed on HIPAA covered entities and business associates by the HHS’ Office for Civil Rights than any other year since the HHS was given the authority to impose financial penalties for HIPAA violations.
Healthcare organizations and HIPAA business associates that have not yet adopted a common cybersecurity framework or other recognized security practices should consider doing so now. Adoption of recognized security practices will help to reduce the risk of a data breach as well as the negative consequences if a data breach does occur.