HITECH Act Amendment Incentivizes Adoption of NIST and Other Recognized Cybersecurity Safeguards as a Defense or Mitigation to HIPAA Enforcement
The National Law Review
Brian G. Cesaratto, Patricia M. Wagner, Alaap B. Shah
On January 5, 2020, HR 7898, became law amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, to require that “recognized cybersecurity practices” be considered by the Secretary of Health and Human Services (HHS) in determining any Health Insurance Portability and Accountability Act (HIPAA) fines, audit results or mitigation remedies. The new law provides a strong incentive to covered entities and business associates to adopt “recognized cybersecurity practices” and risk reduction frameworks when complying with the HIPAA privacy and security standards to reduce risk associated with security threats and HHS enforcement determinations. Specifically, the earlier adoption of an established, formalized and recognized cybersecurity framework, may significantly insulate entities from regulatory enforcement in the wake of subsequent security incidents or data breaches.
The amendment mandates...