On January 5, 2020, President Trump approved a bill (HR 7898) that improves the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and gives a safe harbor for firms that have carried out accepted security best practices before suffering from a data breach.
Though the bill won’t go so far as stopping the Department of Health and Human Services’ Office for Civil Rights from issuing financial penalties for HIPAA compliance problems that triggered a data breach, the amendment necessitates OCR to consider the security steps put in place to lessen cybersecurity risk during the one year before a data breach.
The principal goal of the bill is to give incentive to healthcare companies to use a proven, official, and accepted cybersecurity system and conform to industry security recommendations, as doing this will present some insulation from regulatory enforcement measures.
The bill calls for the HHS to take into consideration an entity’s usage of accepted security best practices when reviewing reported data breaches and thinking of HIPAA enforcement penalties or other regulatory measures. In case an entity has followed the NIST Cybersecurity Framework or HITRUST CSF for instance, it is going to be taken into account when assessing penalties associated with security breaches. Adhering to security best practices will offset remedies that will be decided between a covered entity and the HHS to take care of likely violations of the HIPAA Security Law.
The bill furthermore calls for the HHS to minimize the scope and duration of audits if an entity is identified to have reached industry-level security best practices. It states that the HHS isn’t permitted to raise penalties for entities that didn’t comply with established security practices.
Recognized security practices pertain to the benchmarks, guidelines, best practices, techniques, procedures, and processes established under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the techniques enacted under section 405(d) of the Cybersecurity Act of 2015, and other programs and systems that target cybersecurity and that are designed, recognized, or promulgated by means of policies under other statutory authorities. These practices should be identified by the covered entity or business associate, in line with the HIPAA Security Rule.
The healthcare field is widely targeted by cybercriminals and healthcare data breaches are turning out to be a lot more common. Year after year, the number of cyberattacks on healthcare companies and their business associates grows like with 2020. The healthcare sector had the most awful year when it comes to data breaches last 2020. Remember that the HHS’ Office for Civil Rights had enforced more HIPAA penalties on HIPAA covered entities and business associates in 2020 than any other year since that time the HHS was authorized to enforce financial fines for HIPAA violations.
Healthcare institutions and HIPAA business associates that haven’t implemented a common cybersecurity system or recognized security practices ought to do this right now. Usage of recognized security practices is going to help lower the risk of a data breach and the adverse effects when a data breach does come about.