HealthcareCISO

Under legislation passed by Congress this weekend that awaits President Donald Trump's signature, HIPAA enforcers, when considering financial penalties for compliance violations, would need to determine whether an organization had implemented "recognized security practices," such as the National Institute of Standards and Technology's cybersecurity framework.

The legislation, which would modify the HITECH Act, came about after some healthcare organizations and trade associations complained that the Department of Health and Human Services was unfairly penalizing entities reporting breaches of health information that were the result of cyberattacks and ransomware incidents, notes privacy attorney David Holtzman, principal of the consulting firm HITprivacy.

Under the bill...