HIPAA amendment incentivizes cybersecurity best practices
by Ryan Ozawa
The Health Insurance Portability and Accountability Act (HIPAA), which became law in 1996, is a landmark piece of legislation for both the healthcare industry and the technology sector, establishing regulatory authority over health plans and policies and setting standards for privacy and security where protected health information (PHI) is concerned.
Over the years, HIPAA has been refined and strengthened through several subsequent law and policy changes. The latest revisions to the law reference “recognized cybersecurity practices” as a way to limit or minimize HIPAA violations and penalties.
From HIPAA to HITECH
One of the most substantial changes to HIPAA came in 2009, with the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act promoted the adoption and meaningful use of health information technology, as well as formalized how violations of HIPAA are handled.
The final enforcement rules, covered in Section 13410(d) of the HITECH Act:
- Removed protections for covered entities that were unaware of their legal obligations
- Provided a 30-day grace period for correcting violations, provided they were not due to willful neglect
- Established four categories of violations representing increasing levels of culpability
- Set four corresponding tiers of penalty amounts, greatly increasing the minimum penalty for each violation
- Set a maximum penalty $1.5 million for all violations
SEE ALSO: The Complete Guide to HIPAA Violations
Latest HITECH amendment
On January 5, 2021, HR 7898 became law, amending the HITECH Act to provide incentives to covered entities to adopt “recognized cybersecurity practices” when developing monitoring and audit procedures, and setting risk management and security policies and practices.
If a covered entity can demonstrate the adoption and implementation of such practices, it will benefit from additional considerations by the U.S. Secretary of the Health and Human Services in determining fines and other enforcement measures should there be a data breach or other HIPAA violation.
Specifically, the amendment says the Secretary will consider whether an entity has had “recognized security practices in place” for at least a year prior to any reported violation. If so, such practices could mitigate the imposition of fines, mitigate the remedies called for in any settlement or penalty, and even prompt an early, favorable termination of an audit.
What are “recognized security practices?”
The 2021 HITECH Amendment defines recognized security practices as “programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” These include:
- Section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act
- Section 405(d) of the Cybersecurity Information Sharing Act
Both citations call for a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure.
Proponents of the amendment say that the changes give covered entities and business associates greater flexibility in implementing security practices that correlate with the size, scope and complexity of their respective organizations.
Are there specific examples?
Commonly referenced resources for recognized security practices include:
- An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (NIST)
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HHS)
These pages provide example documents, templates, and practical tips for ensuring a strong risk management and cybersecurity program, including the NIST Risk Management Framework, guides for workforce security, information access management (such as an IT asset inventory), and contingency planning (such as a business continuity plan), and expanded manuals covering cybersecurity practices for small, medium and large organizations.
Watch our NIST webinar
Paubox recently hosted an industry webinar titled “Applying the NIST Privacy Framework in Healthcare,” featuring NIST Policy Advisor Dylan Gilbert and Paubox founder Hoala Greevy. In the webinar, we cover:
- What the NIST Privacy Framework is and how it applies to healthcare
- How to effectively manage privacy risk and why it differs from cybersecurity risk
- Why a privacy framework is needed and how its structured
- How your organization can engage and use this framework