New cybersecurity legislation to amend the Health Information Technology for Economic and Clinical Health (HITECH) Act – an analysis of H.R. 7898

Rich Curtiss, Director, Healthcare Cyber Risk Services, Coalfire

New legislation was passed by Congress and signed by the president on January 5, 2021 that amends the HITECH Act with an additional section titled: SEC. 13412. RECOGNITION OF SECURITY PRACTICES.1

The fundamental driver for amending HITECH is to ensure the secretary of Health and Human Services (HHS) and the constituent HHS offices (e.g., the Office for Civil Rights) take into consideration whether a covered entity or business associate is using appropriate and recognized security best practices when investigating a complaint or responding to a breach of protected health information (PHI).

Though this is important legislation for the healthcare sector, it is equally important not to read too much into it. The amendment is intended to allow the secretary of HHS additional latitude to consider “recommended security practices” when determining fines pursuant to the authorities vested with the secretary.

The House bill does not stand alone but amends the HITECH legislation with additional guidance regarding HHS enforcement processes. It does not obviate any of the HIPAA Rules or their subparts, nor does it provide a safe harbor provision or statute. Covered entities and their business associates are still required to comply with the specifications and requirements of the HIPAA Rules.

Specifically, the legislation calls out the “approaches promulgated under section 405(d) of the Cybersecurity Act of 2015” as “recognized security practices.” Many may not be familiar with the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)2 developed by the 405(d) Task Group. The HICP is a basic primer on cybersecurity best practices that includes a subset of cybersecurity practices for small, medium, and large healthcare organizations. The HICP identifies key threats to the healthcare sector and recommends the appropriate security practices to help mitigate the threat. There are several components to the HICP as follows:

This legislation is intended to minimize punitive regulatory measures when reasonable security practices have been implemented by a healthcare organization under investigation by HHS. A healthcare organization that is doing what is reasonable and appropriate to manage cybersecurity should be considered a victim and not a perpetrator.


Rich Curtiss


Rich Curtiss — Director, Healthcare Cyber Risk Services, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 CPRA credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail RISE Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS