April 18, 2021

Volume XI, Number 108

Advertisement

April 16, 2021

Subscribe to Latest Legal News and Analysis

HITECH Act Amendment Incentivizes Adoption of NIST and Other Recognized Cybersecurity Safeguards as a Defense or Mitigation to HIPAA Enforcement

On January 5, 2020, HR 7898, became law amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, to require that “recognized cybersecurity practices” be considered by the Secretary of Health and Human Services (HHS) in determining any Health Insurance Portability and Accountability Act (HIPAA) fines, audit results or mitigation remedies. The new law provides a strong incentive to covered entities and business associates to adopt “recognized cybersecurity practices” and risk reduction frameworks when complying with the HIPAA privacy and security standards to reduce risk associated with security threats and HHS enforcement determinations. Specifically, the earlier adoption of an established, formalized and recognized cybersecurity framework, may significantly insulate entities from regulatory enforcement in the wake of subsequent security incidents or data breaches.

The amendment mandates that when making determinations relating to fines, decreasing the length and extent of audits, or agreeing to mitigation remedies, the Secretary shall consider whether an entity “has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may”:

(1) mitigate the imposition of fines under section 13410 of the HITECH Act;

(2) result in the early, favorable termination of an audit under 13411 of the HITECH Act; or

(3) mitigate remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security Rule between the covered entity or business associate and HHS.

The term “recognized security practices” means “the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.” Consistent with the HIPAA Security Rule, this broad definition affords covered entities and business associates flexibility to implement reasonable and appropriate “recognized security practices” consistent with the size, scope and complexity of their organizations. Recommended starting points to identify recognized security practices would be to leverage NIST Special Publication 800-66 rev.1 and Health Industry Cybersecurity Practices (Managing Threats and Protecting Patients).

In light of the protective impacts of this new law, organizations that have not yet adopted “recognized security practices,” should consider doing so now. A strong first step to selecting reasonable and appropriate security practices involves conducting risk-based assessments of likely security threats, threat actors and vulnerabilities. Based on the findings of such an assessment, organizations can then identify possible countervailing recognized security practices that can decrease the risk of a security incident or data breach occurring in the first instance, and reduce risk of follow-on regulatory enforcement. Under the new HITECH Act amendment, adoption of recognized security practices may beneficially impact determinations of the level of fines and other enforcement measures in the event of a later data breach or other violation. EBG works closely, under attorney-client privilege, with organizations to conduct risk assessments and to identify recognized security practices that may bolster practical security and improve compliance defensibility.

Advertisement
©2021 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume XI, Number 10
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Brian G. Cesaratto, Epstein Becker, Employment benefits Litigation Lawyer, Workforce Management attorney
Member

BRIAN G. CESARATTO is a Member of the Firm in the Litigation and Employment, Labor & Workforce Management practices, in the New York office of Epstein Becker Green.

Mr. Cesaratto's practice includes complex commercial litigation, criminal defense, internal and law enforcement investigations, employment litigation, and computer and electronic data misappropriation and forensics.

212-351-4921
Patricia M. Wagner, Epstein becker green, health care, life sciences
Member

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of...

202-861-4182
Alaap Shah Attorney Healthcare Life Sciences
Member

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

202-861-5320
Advertisement
Advertisement