In April of 2022, OCR issued a public Request for Information (RFI). The RFI seeks public comment on how covered entities and business associates are implementing recognized security practices. OCR is seeking comments to inform potential future guidance on implementing HR 7898.
What is the Cybersecurity Best Practices Bill?
HR 7898 amends the HITECH Act by adding a new section. Under this new Section 13412, when deciding to conduct an audit or issue a fine, the HHS Secretary must consider whether a covered entity or business associate has adequately demonstrated that it had recognized security practices in place for the previous twelve months.
Under the law, “recognized security practices” mean:
- Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
- The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
- Programs and practices developed in, recognized by, or set forth in federal laws other than HIPAA.