HITECH Act Amendment Incentivizes Adoption of NIST and Other Recognized Cybersecurity Safeguards as a Defense or Mitigation to HIPAA Enforcement

On January 5, 2020, HR 7898, became law amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, to require that “recognized cybersecurity practices” be considered by the Secretary of Health and Human Services (HHS) in determining any Health Insurance Portability and Accountability Act (HIPAA) fines, audit results or mitigation remedies. The new law provides a strong incentive to covered entities and business associates to adopt “recognized cybersecurity practices” and risk reduction frameworks when complying with the HIPAA privacy and security standards to reduce risk associated with security threats and HHS enforcement determinations. Specifically, the earlier adoption of an established, formalized and recognized cybersecurity framework, may significantly insulate entities from regulatory enforcement in the wake of subsequent security incidents or data breaches.

The amendment mandates that when making determinations relating to fines, decreasing the length and extent of audits, or agreeing to mitigation remedies, the Secretary shall consider whether an entity “has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may”:

(1) mitigate the imposition of fines under section 13410 of the HITECH Act;

(2) result in the early, favorable termination of an audit under 13411 of the HITECH Act; or

(3) mitigate remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security Rule between the covered entity or business associate and HHS.

The term “recognized security practices” means “the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.” Consistent with the HIPAA Security Rule, this broad definition affords covered entities and business associates flexibility to implement reasonable and appropriate “recognized security practices” consistent with the size, scope and complexity of their organizations. Recommended starting points to identify recognized security practices would be to leverage NIST Special Publication 800-66 rev.1 and Health Industry Cybersecurity Practices (Managing Threats and Protecting Patients).

In light of the protective impacts of this new law, organizations that have not yet adopted “recognized security practices,” should consider doing so now. A strong first step to selecting reasonable and appropriate security practices involves conducting risk-based assessments of likely security threats, threat actors and vulnerabilities. Based on the findings of such an assessment, organizations can then identify possible countervailing recognized security practices that can decrease the risk of a security incident or data breach occurring in the first instance, and reduce risk of follow-on regulatory enforcement. Under the new HITECH Act amendment, adoption of recognized security practices may beneficially impact determinations of the level of fines and other enforcement measures in the event of a later data breach or other violation. EBG works closely, under attorney-client privilege, with organizations to conduct risk assessments and to identify recognized security practices that may bolster practical security and improve compliance defensibility.