Legislation Requires HHS to Consider Entities' Cybersecurity Practices in Enforcing HIPAA | Practical Law

Legislation Requires HHS to Consider Entities' Cybersecurity Practices in Enforcing HIPAA | Practical Law

Congress has passed and the President has signed legislation that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to require the Department of Health and Human Services (HHS), in enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to consider whether HIPAA covered entities (CEs) or business associates (BAs) have implemented and applied certain recognized security practices—including with regard to cybersecurity (Pub. L. No. 116-321 (Jan. 5, 2021); H.R. 7898).

Legislation Requires HHS to Consider Entities' Cybersecurity Practices in Enforcing HIPAA

by Practical Law Employee Benefits & Executive Compensation
Congress has passed and the President has signed legislation that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to require the Department of Health and Human Services (HHS), in enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to consider whether HIPAA covered entities (CEs) or business associates (BAs) have implemented and applied certain recognized security practices—including with regard to cybersecurity (Pub. L. No. 116-321 (Jan. 5, 2021); H.R. 7898).
Congress has passed and President Trump has signed legislation that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to require HHS, in enforcing HIPAA, to consider whether HIPAA covered entities (CEs) or business associates (BAs) have implemented and applied certain recognized security practices—including with regard to cybersecurity (Pub. L. No. 116-321 (Jan. 5, 2021); H.R. 7898).

HHS Must Consider Use of Recognized Security Practices

The legislation requires HHS to consider whether HIPAA CEs and BAs have shown that, for a period covering at least the prior 12 months, they implemented certain "recognized security practices" in the HIPAA compliance context (see HIPAA Privacy, Security, and Breach Notification Toolkit and Meaning of Recognized Security Practices). The presence of such security measures may warrant:

Meaning of Recognized Security Practices

The legislation defines "recognized security practices" to include:
  • Standards, guidelines, best practices, methodologies, procedures, and processes created under a provision of the National Institute of Standards and Technology Act intended to cost-effectively reduce cyber risks (15 U.S.C. § 272(c)(15)).
  • Approaches developed pursuant to Section 405(d) of the Cybersecurity Act of 2015 (6 U.S.C. § 1533(d); see Practice Note, NIST Cybersecurity Framework).
  • Certain other cybersecurity programs and processes developed under regulations implementing other statutes.
A CE or BA determines the recognized security practices consistent with the HIPAA Security Rule.

Limitations

The legislation does not authorize HHS to increase penalties—or expand the length, scope, or number of audit(s)—based on a CE's or BA's noncompliance with recognized security practices. The legislation also does not subject CEs or BAs to liability for choosing not to adopt and apply recognized security practices.
On the other hand, the legislation does not restrict HHS's authority to enforce the HIPAA Security Rule (or conflict with CEs' and BAs' obligations under the Security Rule).

Practical Impact

This legislation should give at least some comfort to HIPAA CEs and BAs that—despite implementing robust cybersecurity measures and safeguards—nonetheless fall prey to hackers' sophisticated cyberattacks. As noted, the legislation does not expressly limit HHS's authority to enforce the HIPAA Security Rule, but it should ensure that HHS gives some credit to a CE's or BA's legitimate efforts to ward off such attacks.