H.R. 7898, sent to the President for signature on December 24, 2020 may be the HIPAA holiday gift covered entities and business associates have been waiting for. The bill requires the Secretary of the Department of Health and Human Services, when considering penalties, audits and other actions related to HIPAA breaches and security incidents, to take into consideration whether the covered entity or business associate has had “recognized security practices” in place for at least 12 months.
“Recognized security practices” broadly include:
[S]tandards, guidelines, best practices, methodologies, procedures and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity that are developed, recognized, or promulgated through regulations under other statutory authorities.
It is up to the covered entity or business associate to decide which recognized security practices to implement, consistent with the HIPAA Security Rule.
Almost exactly two years ago, HHS announced the publication of “Health Industry Cybersecurity Practices” developed as per the mandate under section 405(d) of the Cybersecurity Act of 2015. The HICP are practical, cost-effective guidelines to reduce cybersecurity risks. They include two separate sections: one designed for small health care organizations, and one designed for medium and large organizations. Though published as “voluntary” practices, entities hoping to avoid HIPAA penalties will have a new reason to voluntarily adopt them if and when H.R. 7898 takes effect.
Since entities must have had HICP or another recognized cybersecurity practice in place for at least 12 months in order to fall within the protections of H.R. 7879, the sooner such practices are implemented, the better. Every covered entity and business associate should resolve to start 2021 with a renewed commitment to implementing and/or reviewing and updating their cybersecurity practices.