HHS Begins Implementing 2021 Legislation on Cybersecurity Practices and HIPAA Enforcement | Practical Law
The Department of Health and Human Services (HHS) has begun implementing 2021 legislation that requires the agency, in enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to consider whether HIPAA covered entities (CEs) and business associates (BAs) have implemented and applied certain recognized security practices, including with regard to cybersecurity. An HHS request for information (RFI) on this topic also addresses a requirement under which individuals harmed by HIPAA noncompliance may receive a percentage of the penalties or money settlements collected as a result of the noncompliance.