New legislation was passed by Congress and signed by the president on January 5, 2021 that amends the HITECH Act with an additional section titled: SEC. 13412. RECOGNITION OF SECURITY PRACTICES.1
The fundamental driver for amending HITECH is to ensure the secretary of Health and Human Services (HHS) and the constituent HHS offices (e.g., the Office for Civil Rights) take into consideration whether a covered entity or business associate is using appropriate and recognized security best practices when investigating a complaint or responding to a breach of protected health information (PHI).
Though this is important legislation for the healthcare sector, it is equally important not to read too much into it. The amendment is intended to allow the secretary of HHS additional latitude to consider “recommended security practices” when determining fines pursuant to the authorities vested with the secretary.
The House bill does not stand alone but amends the HITECH legislation with additional guidance regarding HHS enforcement processes. It does not obviate any of the HIPAA Rules or their subparts, nor does it provide a safe harbor provision or statute. Covered entities and their business associates are still required to comply with the specifications and requirements of the HIPAA Rules.
Specifically, the legislation calls out the “approaches promulgated under section 405(d) of the Cybersecurity Act of 2015” as “recognized security practices.” Many may not be familiar with the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)2 developed by the 405(d) Task Group. The HICP is a basic primer on cybersecurity best practices that includes a subset of cybersecurity practices for small, medium, and large healthcare organizations. The HICP identifies key threats to the healthcare sector and recommends the appropriate security practices to help mitigate the threat. There are several components to the HICP as follows:
This legislation is intended to minimize punitive regulatory measures when reasonable security practices have been implemented by a healthcare organization under investigation by HHS. A healthcare organization that is doing what is reasonable and appropriate to manage cybersecurity should be considered a victim and not a perpetrator.