On January 5, 2021, H.R. 7898 was signed into law. H.R. 7898 amends the Health Information Technology for Economic and Clinical Health (HITECH Act), which, among other things, outlines the civil and criminal penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA) rules.
H.R. 7898 requires the Secretary of Health and Human Services (HHS) to consider whether a covered entity or business associate maintained “recognized security practices” when making penalty and audit determinations in the case of a HIPAA Security Rule violation (i.e., failure to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information or e-PHI).
If a covered entity or business associate can demonstrate that it had “recognized security practices” in place for 12 months prior to the HIPAA breach or security incident involved, it may result in lower fines, an early favorable determination of an audit, and change to the terms of any agreement to resolve the HIPAA violation. “Recognized security practices” include the standards, guidance, best practices, methodologies, procedures, and processes developed under:
- Section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act;
- Section 405(d) of the Cybersecurity Act of 2015; and
- Other programs and processes that addresses cybersecurity that are developed, recognized, or promulgated through regulations under statutory authorities.
H.R. 7898 does not allow HHS to increase fines if covered entities and business associates decide not to implement the “recognized security practices,” rather it provides entities an incentive to voluntarily implement them. As written, H.R. 7898 will take effect as if it was included in the 21st Century Cures Act (which was passed in 2016 and instructs federal agencies to develop a network exchange of health information, with certain initiatives going into effect in April 2021 and December 2022), though additional specifics under the rule must still be promulgated.
Employer Action Items
Although employers are not considered “covered entities” under HIPAA, their self-insured health plans (such as their self-funded medical plans and flexible spending accounts (FSA)) are subject to the law. As such, employers may want to work with security/IT personnel and/or any third-party administrators (TPAs) to implement these recognized security practices to mitigate against potential penalties that may result from a HIPAA breach. Since the bill states the security practices must be maintained for 12 months prior to a breach, employers should look to implement these new security practices as soon as practicable.
- H.R. 7898
- Section 405(d) of the Cybersecurity Act of 2015
- National Institute of Standards and Technology (NIST) Act
Disclaimer: This content is intended for informational purposes only and should not be construed as legal, medical or tax advice. It provides general information and is not intended to encompass all compliance and legal obligations that may be applicable. This information and any questions as to your specific circumstances should be reviewed with your respective legal counsel and/or tax advisor as we do not provide legal or tax advice. Please note that this information may be subject to change based on legislative changes. © 2021 Sequoia Benefits & Insurance Services, LLC. All Rights Reserved