Cybersecurity and “Recognized Security Practices”: New Statute modifies HIPAA
On January 5, 2020, President Trump signed into law H.R. 7898. This new statute amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Department of Health and Human Services (HHS) to consider efforts by HIPAA covered entities and business associates to implement “recognized security practices” when assessing fines or penalties under the HIPAA Security Rule.
The statute provides that if a HIPAA covered entity or business associate can demonstrate compliance for the previous twelve months with “recognized security practices,” then that entity may benefit in the following scenarios:
1. mitigation of fines related to a HHS investigation resulting from a security incident;
2. an early and/or favorable termination of an audit brought under section 13411 [of HITECH]; and
3. mitigation of remedies agreed to in any agreement with respect to resolving potential violations of HIPAA Security Rule.
The statute makes clear that these changes do not give HHS authority to increase fines or the length of an audit when a HIPAA covered entity or business associate is found to be lacking compliance with the recognized security standards.
We expect the HHS to undertake an APA-proscribed rulemaking, either through a request for information (RFI) or notice of proposed rulemaking (NPRM) with regard to the potential HIPAA requirements that will likely include reference to examples of industry-recognized certification programs, as well as to NIST special publications, as discussed further below. Given the jurisdictional issues, it is most likely that HHS Office for Civil Rights (OCR) will be responsible for such a rulemaking effort.
In other words, it is likely that OCR will be charged with rulemaking efforts related to implementation of this statute, and would request comments regarding “recognized security practices” included in the statute’s definition of same, as follows:
1. “The standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act.”
Generally, NIST special publications are considered best practices for all industries related to data security. They are extremely thorough and detailed, and are updated by NIST regularly. Given that OCR regularly includes references to NIST special publication in its guidance documents regarding HIPAA, it is very likely OCR will do the same in any rulemaking related to implementation of this statute.
2. “The approaches promulgated under section 405(d) of the Cybersecurity Act of 2015.”
The Cybersecurity Act of 2015 (CSA) includes Section 405(d), “Aligning Health Care Industry Security Approaches.” In 2017, HHS convened the CSA 405(d) Task Group, through HHS’s existing Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. The Task Group includes over 100 different types of health care industry representatives, and met six times from May 2017 through March 2018 to develop the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication. Despite the lack of current information from the task force, OCR will likely include reference to any guidance developed as part of this effort in the rulemaking related to this statute, not only because the statute’s language dictates such, but also because of these previous efforts of HHS to implement the Cybersecurity Act of 2015.
3. “Other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”
The inclusion of this particular language by Congress in the statute appears to recognize the efforts of, and industry recognition of, private-sector compliance and certification groups working to improve data security practices related to cybersecurity in the United States, particularly in conjunction with efforts pursuant to other laws, such as Cybersecurity Maturity Model Certification (CMMC). This may be an area where clients should consider providing comments to any rulemaking related to this statute.