The Health Information Technology for Economic and Clinical Health Act (HITECH) was amended January 5th of this year when HR 7898 (To amend the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes) was signed into law. HITECH was originally signed into law in 2013 and addressed many changes since HIPAA was established. This new amendment establishes a "safe harbor" for Covered Entities and Business Associates trying to balance compliance, risk, and information services security.
The safe harbor applies when the Department of Health & Human Services (DoHHS) is assessing fines, evaluating audits or reviewing proposed mitigation steps, and requires DoHHS to consider whether the covered entity or business associate adequately demonstrated that it had in place “recognized security practices” for at least 12 months prior that would mitigate the circumstances of an investigation's actions (e.g. reduce a fine, end an audit or require a remedy). This is HUGE NEWS for anyone that has experienced a breach, despite doing a reasonable and appropriate job trying to protect their patient's information.
Before anyone treats this news as a "get out of jail free card", DoHHS is basing recognized security practices on NIST approved publications and approaches. We advocate a formal cyber security framework (CSF) for any healthcare entity. HIPAA is really a useful subset of most CSF's and time won't be wasted supporting both - but HIPAA is not a CSF on its own. Notably there are other CSFs out there (e.g. SANS Critical 20, ISO 27001, etc.).
It's nice to see the federal government acknowledging the work that some healthcare entities are performing to protect their ePHI. Criminals are always working to create the next security incident or breach, so let's keep our guard up regardless of any safe harbor.
As always, this post is not legal advice and we encourage our readers to work with the counsel to understand the specifics of this legislation and how it may apply to their organization.
Stay (HIPAA) safe,