How to Implement Cybersecurity Best Practices Bill

In January of 2021, HR 7898, nicknamed the Cybersecurity Best Practices bill, was signed into law. Under this law, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) must consider whether an entity used recognized cybersecurity best practices in the year preceding a violation when deciding whether to penalize the organization. 

In April of 2022, OCR issued a public Request for Information (RFI). The RFI seeks public comment on how covered entities and business associates are implementing recognized security practices. OCR is seeking comments to inform potential future guidance on implementing HR 7898. 

What is the Cybersecurity Best Practices Bill?

HR 7898 amends the HITECH Act by adding a new section. Under this new Section 13412, when deciding to conduct an audit or issue a fine, the HHS Secretary must consider whether a covered entity or business associate has adequately demonstrated that it had recognized security practices in place for the previous twelve months. 

Under the law, “recognized security practices” mean:

  • Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
  • The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
  • Programs and practices developed in, recognized by, or set forth in federal laws other than HIPAA.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

How to Implement the Cybersecurity Best Practices Bill: Help Us to Help You

The Request for Information states that public comment will enable OCR to consider ways to support the healthcare industry’s implementation of recognized cybersecurity best practices. 

HHS seeks public comment on three areas:

  1. How are covered entities and business associates implementing “recognized security practices”?
  2. How are covered entities and business associates adequately demonstrating that recognized security practices are in place?
  3. Are there an