Statute Examines Security Practices and Health Information Privacy

January 16, 2021 34 view(s)
Statute Examines Security Practices and Health Information Privacy
On January 5th, 2021, President Donald Trump signed H.R. 7898 into law. The statute amends the Health Information Technology for Economic and Clinical Health Act (HITECH). The amendment, specifically, addresses fines and penalties levied by the Department of Health and Human Services (HHS). Now, before assessing penalties under the HIPAA Security Rule, the HHS must consider the organization’s implementation of “recognized security practices.” The Security Rule establishes safeguards to protect electronic personal health information created, received, used, or maintained by a covered entity.

Definition of “Recognized Security Practices”

The new law defines “recognized security practices” as the following:
  • the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act;
  • certain approaches promulgated under section 405(d) of the Cybersecurity Act of 2015; and
  • other programs/processes that address cybersecurity. (Additional statutory authorities developed, recognized, or promulgated through regulations these other programs or processes.)
Accordingly, the HHS will likely specify, at a later date, what security practices meet these standards and qualify for consideration.

Demonstrating Compliance

The statute states that if a covered entity can demonstrate compliance with “recognized security practices” it may receive:
  • a mitigation of fines or penalties related to an HHS investigation resulting from a security incident;
  • an early and/or favorable termination of an audit brought under section 13411 of HITECH; and
  • the mitigation of remedies agreed to in any agreement with respect to resolving potential violations of HIPAA Security Rule.
Compliance is only reached, however, if the security practices were in place for twelve months prior to the violation.

Employer Takeaways

In conclusion, all HIPAA-covered entities should adopt “recognized security practices” if they have not already. Employers should also clearly document those practices to show their compliance in trying to prevent data breaches. As mentioned earlier, those “recognized security practices” may beneficially impact fine determination in the event of a data breach.
by

NOTE: The details in this blog are provided for informational purposes only. All answers are general in nature and do not constitute legal advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought. The author specifically disclaims any and all liability arising directly or indirectly from the reliance on or use of this blog.

Comments
Leave your comment
Your email address will not be published
Leave your comment
Loading...
Options chevron-down
Contact Us
Compliance 101A
Categories chevron-down
Search the blog chevron-down
Recent posts chevron-down
Latest EEOC Enforcement Data Shows Increased Pre-Litigation Activity Latest EEOC Enforcement Data Shows Increased Pre-Litigation Activity
57 view(s)
EEOC Pens Letter to Companies Regarding Title VII Compliance and DEI Initiatives EEOC Pens Letter to Companies Regarding Title VII Compliance and DEI Initiatives
112 view(s)
NLRB Officially Reinstates Previous 2020 Joint Employer Standard NLRB Officially Reinstates Previous 2020 Joint Employer Standard
197 view(s)
OSHA Releases New Job Safety and Health Workplace Poster OSHA Releases New Job Safety and Health Workplace Poster
432 view(s)
Agency Releases Newly Proposed Independent Contractor Status Rule; Seeks Employer Comments Agency Releases Newly Proposed Independent Contractor Status Rule; Seeks Employer Comments
54 view(s)