On December 19, the Senate passed H.R.7898, which the House of Representatives had previously passed on December 9. This law amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Secretary of Health and Human Services (HHS) to consider certain “recognized security practices” of covered entities and business associates when making determinations to issue fines or penalties under the HIPAA Security Rule.
The law defines “recognized security practices” as “the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the [NIST] Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” It is likely that HHS will further specify what security practices meet these standards and qualify for consideration.
If signed into law, this bill would potentially benefit covered entities and business associates that are subject to HHS investigations as a result of a security incident but have taken steps to document their compliance with the HIPAA Security Rule and other standardized security practices. In terms of its effective date, the law states that it “shall take effect as if included in the enactment of the 21st Century Cures Act.” This likely means that this new law will go into effect on January 1, 2021 (since many of the provisions of the 21st Century Care Act go into effect on that date) and will not apply retroactively.
The law awaits presidential signature (with no clarity on whether it will be signed or not). Even if signed into law, HHS will need to go through the notice and rulemaking process in order for the new law to be implemented, which may be delayed by the fact that HHS recently proposed changes to the HIPAA Privacy Rule and will likely be working towards implementing those revisions. Still, the new law is a welcome sign for HIPAA-covered businesses that have taken steps to document their security compliance. Companies should consider the impact of this new law (if passed) on any ongoing security-related investigations.