Compliance News | February 9, 2021
A new federal law amending the Health Information Technology for Economic and Clinical Health Act affects enforcement of the HIPAA security rule.
HHS is now required to consider whether a covered entity (or business associate) has followed “recognized security practices.”
The HITECH Act amendment encourages covered entities and business associates under HIPAA to follow “recognized security practices” as a defense or to mitigate penalties that could be assessed for violations of the HIPAA security rule.
The law defines these “recognized security practices” as:
When enforcing the HIPAA security rule, HHS will now consider the extent to which a covered entity (or business associate) has followed “recognized security practices” for (at least) the previous 12 months. The requirements of the security rule itself have not changed.
It appears that the HITECH amendment took effect on January 5, 2021 when it was signed into law (Public Law 116-321).
Enforcement incudes investigating complaints, conducting audits, assessing penalties and engaging in voluntary settlement negotiations. The latter typically involve the payment of substantial sums to the government, a correction action plan and ongoing monitoring by HHS.
Under the new law, coved entities and business associates who follow recognized security practices could see lower fines, penalties or the early, favorable termination of an audit.
For resources on cybersecurity, please visit:
Group health plans are required by the HIPAA security rule to periodically evaluate their security protocols, policies and procedures. A best practice is for plan sponsors to conduct a HIPAA risk assessment every two to three years to ensure security policies, procedures and operations are up to date and comply with the latest requirements. HIPAA risk assessments should also be completed when new technology is implemented, such as a new software or hardware system, or new use of remote technology.
Your next assessment should include an evaluation of how existing protocols compare to the recognized security practices mentioned in the new law.
You can also view Segal’s HIPAA compliance checklist or download a presentation from a Segal webinar, HIPAA in the context of COVID-19.
This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.
Don't miss out. Join 16,000 others who already get the latest insights from Segal.