May 26, 2022
On Jan. 5, 2021, Public Law 116-321 amended the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Department of Health and Human Services (HHS) to consider covered entities’ (most healthcare providers, health plans and clearinghouses) or business associates’ “recognized cybersecurity practices” when determining fines, audits and remedies for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as discussed in a previous McGuireWoods post.
HHS now seeks public comment on how covered entities and business associates voluntarily implement security practices, to assist its Office for Civil Rights (OCR) in determining what the “recognized cybersecurity practices” are and proper mitigating factors when auditing and fining covered entities and business associates for violations of HIPAA. See Request for Information (RIN 0945-AA04).
According to HHS, cybersecurity threats are a significant concern driving the need to safeguard electronic protected health information. One of the primary goals of the amendment was to encourage covered entities and business associates to do “everything in their power to safeguard patient data.” To achieve this goal, Congress sought to “[incentivize] healthcare entities to adopt strong cybersecurity practices by encouraging the Secretary of HHS to consider entities' adoption of recognized cybersecurity practices when conducting audits or administering HIPAA fines.”
The amendment clarifies that a covered entity or business associate must “adequately demonstrate” recognized security practices. OCR has explained that this means to go beyond simply establishing and documenting the adoption of security practices. Rather, one must show that the security practices have been actively and consistently in use over the prior 12-month period of time.
Demonstration of compliance of the recognized security practices acts as a quasi-safe harbor for covered entities, allowing such entities to avoid or mitigate hefty fines or potentially receive early or favorable termination of an audit.
OCR seeks public comment on the following:
Comments may be submitted electronically through the Federal eRulemaking Portal or by mail, and must be submitted by June 6, 2022.