Cyber Risk Advisory
New Cybersecurity Legislation to Amend the Health Information Technology for Economic and Clinical Health (HITECH) Act – An Analysis of H.R. 7898
This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free.
New legislation was passed by Congress and signed by the president on January 5, 2021 that amends the HITECH Act with an additional section titled: SEC. 13412. RECOGNITION OF SECURITY PRACTICES.1
The fundamental driver for amending HITECH is to ensure the secretary of Health and Human Services (HHS) and the constituent HHS offices (e.g., the Office for Civil Rights) take into consideration whether a covered entity or business associate is using appropriate and recognized security best practices when investigating a complaint or responding to a breach of protected health information (PHI).
Though this is important legislation for the healthcare sector, it is equally important not to read too much into it. The amendment is intended to allow the secretary of HHS additional latitude to consider “recommended security practices” when determining fines pursuant to the authorities vested with the secretary.
The House bill does not stand alone but amends the HITECH legislation with additional guidance regarding HHS enforcement processes. It does not obviate any of the HIPAA Rules or their subparts, nor does it provide a safe harbor provision or statute. Covered entities and their business associates are still required to comply with the specifications and requirements of the HIPAA Rules.
Specifically, the legislation calls out the “approaches promulgated under section 405(d) of the Cybersecurity Act of 2015” as “recognized security practices.” Many may not be familiar with the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) developed by the 405(d) Task Group. The HICP is a basic primer on cybersecurity best practices that includes a subset of cybersecurity practices for small, medium, and large healthcare organizations. The HICP identifies key threats to the healthcare sector and recommends the appropriate security practices to help mitigate the threat. There are several components to the HICP as follows:
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP): The HICP examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores five current threats and presents 10 practices to mitigate those threats.
- Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations: Technical Volume 1 discusses the 10 cybersecurity practices along with sub-practices for small healthcare organizations.
- Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations: Technical Volume 2 discusses the 10 cybersecurity practices along with sub-practices for medium and large healthcare organizations.
- Resources and Templates: The resources and templates portion includes a variety of cybersecurity resources and templates for end users to reference.
- Cybersecurity Practices Assessments Toolkit (Appendix E-1): This tool helps organizations prioritize cyber threats and develop action plans using the assessment methodology outlined in the Resources and Templates volume. This tool is under development.
This legislation is intended to minimize punitive regulatory measures when reasonable security practices have been implemented by a healthcare organization under investigation by HHS. A healthcare organization that is doing what is reasonable and appropriate to manage cybersecurity should be considered a victim and not a perpetrator.
1 https://www.congress.gov/bill/116th-congress/house-bill/7898/text?r=2&s=1