• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

New Law Requires HHS to Consider Recognized Security Practices as Mitigating Factor When Determining Penalties

January 21, 2021 By Privacy, Cyber & Data Strategy Team

On January 5, 2021, the president signed into law H.R. 7898, an Act that amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Secretary of Health and Human Services (HHS) to consider specific recognized security practices of covered entities and business associates when making certain determinations regarding fines, penalties, and other remedies related to HIPAA violations, as well as determinations relating to the length and extent of HITECH audits.

In particular, the law requires the Secretary to consider certain security practices as a mitigating factor when considering fines under Section 1176 (general penalties for HIPAA violations) or Section 1177 (penalties for wrongful disclosure of individually identifiable health information), the length and extent of a HITECH audit under Section 13411, or other remedies relating to violations of the HIPAA Security Rule.

Under the new law, the Secretary shall consider whether the entity has adequately demonstrated that it had, for not less than the previous 12 months, “recognized security practices” in place. “Recognized security practices” is defined by the Act to mean the standards, guidelines, best practices, methodologies, procedures, and processes developed under the following frameworks:

  • Section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act;
    • This section relates to the NIST Cybersecurity Framework. Section 2(c)(15) of the NIST Act empowered the Director of NIST to facilitate the development of a voluntary, industry-led set of standards and processes to cost-effectively reduce cyber risks to critical infrastructure (the NIST Cybersecurity Framework).
  • The approaches promulgated under section 405(d) of the Cybersecurity Act of 2015;
    • Section 405(d) of the Cybersecurity Act of 2015 called for a more coordinated approach to cybersecurity in the healthcare industry. Supporting that mission, in 2018, HHS issued voluntary cybersecurity guidance for healthcare entities (“Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients”) based on the recommendations of the 405(d) Task Group, a HHS and industry-led collaborative task group.
  • Other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.

The Act does not create any liability or authorize the Secretary to increase fines (or the length of an audit) due to a lack of compliance with the recognized security practices, however the law also does not affect an entity’s obligations to comply with the requirements of the HIPAA Security Rule.

 

Filed Under: Data Security, Enforcement, Health Privacy, HHS Tagged With: HHS, HIPAA, HITECH, National Institute for Standards and Technology (NIST)

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.