HIPAA Enforcement: Use of Recognized Security Practices, Including for Cybersecurity | Practical Law
In April 2022, the Department of Health and Human Services (HHS) began implementing 2021 legislation that requires the agency, in enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to consider whether HIPAA covered entities (CEs) and business associates (BAs) have implemented and applied certain recognized security practices, including with regard to cybersecurity. An HHS request for information (RFI) on this topic also addresses a rule under which individuals harmed by HIPAA noncompliance may receive a percentage of the money settlements or penalties collected as a result of the noncompliance.