On Jan. 5, 2021, the President signed into law H.R. 7898, which provides even more incentive for Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates to develop robust security compliance programs.
The new law amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the U.S. Department of Health and Human Services (HHS), when contemplating penalties for HIPAA-covered entities and business associates, to take certain security practices into account. Specifically, the HHS Secretary is required to consider whether the covered entity or business associate is able to adequately demonstrate that it had "recognized security practices" in place for at least the prior 12 months. If it does, it "may" result in early, favorable termination of audits, or mitigate other fines and penalties.
The law defines "recognized security practices" as "the standards, guidelines, best practices, methodologies, procedures, and processes" developed under:
- section 2(c)15 of the National Institute of Standards and Technology Act
- the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015
- other processes and programs developed under other statutory authorities that address cybersecurity
The law goes on to note that "[s]uch practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title)." Nothing in the new provision gives HHS authority to increase fines under section 1176 of the Social Security Act or the length, extent or number of audits under section 13411. Interestingly, the new provisions also state that nothing in this particularly law subjects a covered entity or business associate to liability for "electing not to engage in the recognized security practices defined by this section." Conversely, nothing in the law limits the HHS Secretary's authority to enforce HIPAA or a business associate or covered entity's obligation to comply with the HIPAA Security Rule.