On January 5, 2021, President Trump signed into law legislation approved by the House Energy and Commerce Committee known as HR 7898. HR 7898, now law, requires the Department of Health and Human Services (HHS) to incentivize a covered entity’s or business associate’s cybersecurity best practices. Under this legislation, HHS, when deciding whether to issue a fine, or undertake an audit, must take into account whether an organization has been using recognized HIPAA cybersecurity best practices to comply with the HIPAA Security Rule.
HIPAA Cybersecurity Best Practices and HR 7898
The HIPAA Safe Harbor bill defines “recognized security practices” broadly, to mean:
- Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
- The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
- Programs and practices that are developed in, recognized by, or set forth in federal laws other than HIPAA.
HIPAA Cybersecurity Best Practices: What Must HHS Consider?
The HIPAA Safe Harbor bill amends the HITECH Act to require HHS to consider whether a covered entity or business associate has met recognized security practices when HHS makes certain determinations, such as whether to bring an enforcement action. The HIPAA Safe Harbor bill requires HHS to consider whether a business has met these recognized security practices when determining the amount of fines to issue. HHS must consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place. If these measures were in place, HHS can lower the amount of a fine and decrease the length and extent of an audit.
HHS must now develop regulations that implement the law. There is no specific timeline for HHS to do so, although covered entities and business associates should begin preparing now.
The legislation recognizes the significance of cyberthreats to the healthcare sector, while addressing concerns of players in the healthcare industry. Many people in the healthcare industry have complained that HIPAA enforcement actions have issued significant penalties to organizations who, even with cybersecurity programs employing best practices, have been victimized by cybersecurity attacks.