January 19, 2021

Volume XI, Number 19

Advertisement

January 19, 2021

Subscribe to Latest Legal News and Analysis

January 18, 2021

Subscribe to Latest Legal News and Analysis

Cybersecurity and “Recognized Security Practices”: New Statute modifies HIPAA

On January 5, 2020, President Trump signed into law H.R. 7898. This new statute amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Department of Health and Human Services (HHS) to consider efforts by HIPAA covered entities and business associates to implement “recognized security practices” when assessing fines or penalties under the HIPAA Security Rule. 

The statute provides that if a HIPAA covered entity or business associate can demonstrate compliance for the previous twelve months with “recognized security practices,” then that entity may benefit in the following scenarios: 

1. mitigation of fines related to a HHS investigation resulting from a security incident;

2. an early and/or favorable termination of an audit brought under section 13411 [of HITECH]; and

3. mitigation of remedies agreed to in any agreement with respect to resolving potential violations of HIPAA Security Rule.

The statute makes clear that these changes do not give HHS authority to increase fines or the length of an audit when a HIPAA covered entity or business associate is found to be lacking compliance with the recognized security standards. 

We expect the HHS to undertake an APA-proscribed rulemaking, either through a request for information (RFI) or notice of proposed rulemaking (NPRM) with regard to the potential HIPAA requirements that will likely include reference to examples of industry-recognized certification programs, as well as to NIST special publications, as discussed further below. Given the jurisdictional issues, it is most likely that HHS Office for Civil Rights (OCR) will be responsible for such a rulemaking effort. 

In other words, it is likely that OCR will be charged with rulemaking efforts related to implementation of this statute, and would request comments regarding “recognized security practices” included in the statute’s definition of same, as follows:

1. “The standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act.”  

Generally, NIST special publications are considered best practices for all industries related to data security. They are extremely thorough and detailed, and are updated by NIST regularly. Given that OCR regularly includes references to NIST special publication in its guidance documents regarding HIPAA, it is very likely OCR will do the same in any rulemaking related to implementation of this statute.

2. “The approaches promulgated under section 405(d) of the Cybersecurity Act of 2015.”  

The Cybersecurity Act of 2015 (CSA) includes Section 405(d), “Aligning Health Care Industry Security Approaches.” In 2017, HHS convened the CSA 405(d) Task Group, through HHS’s existing Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. The Task Group includes over 100 different types of health care industry representatives, and met six times from May 2017 through March 2018 to develop the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication. Despite the lack of current information from the task force, OCR will likely include reference to any guidance developed as part of this effort in the rulemaking related to this statute, not only because the statute’s language dictates such, but also because of these previous efforts of HHS to implement the Cybersecurity Act of 2015.

3. “Other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”  

The inclusion of this particular language by Congress in the statute appears to recognize the efforts of, and industry recognition of, private-sector compliance and certification groups working to improve data security practices related to cybersecurity in the United States, particularly in conjunction with efforts pursuant to other laws, such as Cybersecurity Maturity Model Certification (CMMC). This may be an area where clients should consider providing comments to any rulemaking related to this statute.

Advertisement
© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XI, Number 14
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Iliana L. Peters, Healthcare, Privacy Lawyer, Polsinelli Law Firm
Shareholder

Iliana L. Peters believes good data privacy and security is fundamental to ensuring patients’ trust in the health care system, and to helping health care clients succeed in an ever-changing landscape of threats to data security. She is recognized by the health care industry as a preeminent thinker and speaker on data privacy and security, particularly with regard to HIPAA, the HITECH Act, the 21st Century Cures Act, the Genetic Information Nondiscrimination Act (GINA), the Privacy Act, and emerging cyber threats to health data.     

For over a decade, she both...

202.626.8327
Erica L. (Beacom) Reagan Health Care Attorney Polsinelli Washington, D.C.
Associate

Erica Reagan is dedicated to providing effective, efficient and innovative legal solutions. By working with clients, and clearly identifying business goals, Erica assists clients in their individual objectives. Erica believes in a multi-faceted approach to legal issues that considers both regulatory and public policy angles. She has developed a broad range of regulatory experience, representing clients in complex regulatory and administrative issues. As a member of the both the FDA and Health Care Group, she has engaged in matters related to:

  • Navigating...
202-772-1487
Advertisement
Advertisement