Congress has passed and the President has signed legislation that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to require the Department of Health and Human Services (HHS), in enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to consider whether HIPAA covered entities (CEs) or business associates (BAs) have implemented and applied certain recognized security practices—including with regard to cybersecurity (Pub. L. No. 116-321 (Jan. 5, 2021); H.R. 7898).
HHS Must Consider Use of Recognized Security Practices
The legislation requires HHS to consider whether HIPAA CEs and BAs have shown that, for a period covering at least the prior 12 months, they implemented certain "recognized security practices" in the HIPAA compliance context (see HIPAA Privacy, Security, and Breach Notification Toolkit and Meaning of Recognized Security Practices). The presence of such security measures may warrant:
The legislation defines "recognized security practices" to include:
Standards, guidelines, best practices, methodologies, procedures, and processes created under a provision of the National Institute of Standards and Technology Act intended to cost-effectively reduce cyber risks (15 U.S.C. § 272(c)(15)).
Certain other cybersecurity programs and processes developed under regulations implementing other statutes.
A CE or BA determines the recognized security practices consistent with the HIPAA Security Rule.
Limitations
The legislation does not authorize HHS to increase penalties—or expand the length, scope, or number of audit(s)—based on a CE's or BA's noncompliance with recognized security practices. The legislation also does not subject CEs or BAs to liability for choosing not to adopt and apply recognized security practices.
On the other hand, the legislation does not restrict HHS's authority to enforce the HIPAA Security Rule (or conflict with CEs' and BAs' obligations under the Security Rule).
Practical Impact
This legislation should give at least some comfort to HIPAA CEs and BAs that—despite implementing robust cybersecurity measures and safeguards—nonetheless fall prey to hackers' sophisticated cyberattacks. As noted, the legislation does not expressly limit HHS's authority to enforce the HIPAA Security Rule, but it should ensure that HHS gives some credit to a CE's or BA's legitimate efforts to ward off such attacks.