One of the most substantial changes to HIPAA came in 2009, with the passage of the Health Information Technology for Economic and Clinical Health ( HITECH) Act. The HITECH Act promoted the adoption and meaningful use of health information technology, as well as formalized how violations of HIPAA are handled. The final enforcement rules, covered in Section 13410(d) of the HITECH Act:
SEE ALSO: The Complete Guide to HIPAA Violations
On January 5, 2021, HR 7898 became law, amending the HITECH Act to provide incentives to covered entities to adopt “recognized cybersecurity practices” when developing monitoring and audit procedures, and setting risk management and security policies and practices. If a covered entity can demonstrate the adoption and implementation of such practices, it will benefit from additional considerations by the U.S. Secretary of the Health and Human Services in determining fines and other enforcement measures should there be a data breach or other HIPAA violation.
SEE ALSO: HIPAA Compliant Email: the Definitive Guide
Specifically, the amendment says the Secretary will consider whether an entity has had "recognized security practices in place" for at least a year prior to any reported violation. If so, such practices could mitigate the imposition of fines, mitigate the remedies called for in any settlement or penalty, and even prompt an early, favorable termination of an audit.
The 2021 HITECH Amendment defines recognized security practices as "programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities." These include:
Both citations call for a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure.
SEE ALSO: NIST Releases Enterprise Risk Management Privacy Framework
Proponents of the amendment say that the changes give covered entities and business associates greater flexibility in implementing security practices that correlate with the size, scope and complexity of their respective organizations.
Commonly referenced resources for recognized security practices include:
These pages provide example documents, templates, and practical tips for ensuring a strong risk management and cybersecurity program, including the NIST Risk Management Framework, guides for workforce security, information access management (such as an IT asset inventory), and contingency planning (such as a business continuity plan), and expanded manuals covering cybersecurity practices for small, medium and large organizations.
Paubox recently hosted an industry webinar titled "Applying the NIST Privacy Framework in Healthcare," featuring NIST Policy Advisor Dylan Gilbert and Paubox founder Hoala Greevy. In the webinar, we cover:
You can access the slides presented during this webinar here, and watch the recorded event here.