The Department of Health and Human Services has started enforcing legislation amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The legislation requires the agency to evaluate health plan security practices when conducting audits or administering HIPAA penalties.
The department’s assessment will look at covered entities and their business associates to determine if they have applied certain recognized security practices. "Recognized security practices" include standards and approaches created under the National Institute of Standards and Technology Act, the Cybersecurity Act of 2015, and other regulations that implemented related statutes. A security practice must be in place for the prior 12 months to qualify, which means it must have been fully implemented for the entirety of that time period, not simply initially adopted. If it is determined that a covered entity or business associate has properly implemented these practices, it may be granted reduced penalties for HIPAA violations, early termination of HIPAA audits, and mitigation of remedies in resolving potential violations of HIPAA.
As a first step, HHS has issued a request for information (RFI) regarding covered entities’ and business associates’ voluntary implementation of recognized security practices. The RFI asks for information on how covered entities and business associates understand recognized security practices, how recognized security practices are implemented, and how covered entities and business associates can demonstrate compliance with these practices. The department will use the responses to determine how to tailor future guidance or regulations in order to provide clarity on this issue.
The RFI makes clear that the 2021 legislation does not require covered entities and business associates to adopt any recognized security practice, but doing so may lead to more favorable determinations about penalties, audits, or other remedies.