Compliance News | February 9, 2021

HIPAA Enforcement to Consider Recognized Security Practices

A new federal law amending the Health Information Technology for Economic and Clinical Health Act affects enforcement of the HIPAA security rule.

HHS is now required to consider whether a covered entity (or business associate) has followed “recognized security practices.”

Young Black Man Working In A Server Room Administering The System

The HITECH amendment

The HITECH Act amendment encourages covered entities and business associates under HIPAA to follow “recognized security practices” as a defense or to mitigate penalties that could be assessed for violations of the HIPAA security rule.

The law defines these “recognized security practices” as:

  • Standards, guidelines, best practices, methodologies, procedures and processes developed under the National Institute of Standards and Technology (NIST) Act
  • Approaches promoted by the Cybersecurity Act of 2015
  • Other programs and processes that address cybersecurity and that are developed, recognized or announced though regulations under other statutory authorities

When enforcing the HIPAA security rule, HHS will now consider the extent to which a covered entity (or business associate) has followed “recognized security practices” for (at least) the previous 12 months. The requirements of the security rule itself have not changed.

It appears that the HITECH amendment took effect on January 5, 2021 when it was signed into law (Public Law 116-321).

HHS enforcement

Enforcement incudes investigating complaints, conducting audits, assessing penalties and engaging in voluntary settlement negotiations. The latter typically involve the payment of substantial sums to the government, a correction action plan and ongoing monitoring by HHS.

Under the new law, coved entities and business associates who follow recognized security practices could see lower fines, penalties or the early, favorable termination of an audit.

Learn about recognized security practices

For resources on cybersecurity, please visit:

  1. The NIST website to review its cybersecurity program, which supports cybersecurity standards and best practices
  2. The Cybersecurity and Infrastructure Security Agency (CISA) website, which offers valuable resources in the form of helpful tips and useful publications for recognizing and maintaining recognized security practices

Action items

Group health plans are required by the HIPAA security rule to periodically evaluate their security protocols, policies and procedures. A best practice is for plan sponsors to conduct a HIPAA risk assessment every two to three years to ensure security policies, procedures and operations are up to date and comply with the latest requirements. HIPAA risk assessments should also be completed when new technology is implemented, such as a new software or hardware system, or new use of remote technology.

Your next assessment should include an evaluation of how existing protocols compare to the recognized security practices mentioned in the new law.

Recent Segal resources on HIPAA

You can also view Segal’s HIPAA compliance checklist or download a presentation from a Segal webinar, HIPAA in the context of COVID-19.


Doctor greeting her patient in the waiting room of a clinic

Get Your HIPAA Compliance Checklist: Here's What To Look For

This handy list will help point out where you may need help with compliance.
Colleagues Working In A Cafeteria

HIPAA in the Context of COVID-19: Impact on Health Plans

In this webinar, you’ll hear about how some of HIPAA's privacy and security rules have changed in light of COVID-19.

Have questions about this new law?

We have answers.

Get in Touch

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.

Don't miss out. Join 16,000 others who already get the latest insights from Segal.