The healthcare industry, including health plans, is often and increasingly the target of security of cyberattacks. In recognition of this, Congress amended the Health Information Technology for Economic and Clinical Health Act (“HITECH”) in early January 2021. The amendment requires the U.S. Department of Health and Human Services (“HHS”) to “consider certain recognized security practices of covered entities and business associates when making certain determinations” related to enforcement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
For covered entities subject to HIPAA, like employer sponsored self-insured group health plans and their business associate vendors that act in support of the group health plan, the amendment provides substantial incentives to establish or improve their cybersecurity programs. While it does not mandate specific practices or establish a complete safe harbor from HIPAA enforcement, the amendment does offer organizations a chance to mitigate financial penalties and other negative regulatory actions that may result from a data breach.
Incentives for Self-Insured Health Plans and Vendor Business Associates
Specifically, the amendment instructs HHS to consider “whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may”:
- Reduce fines imposed for failing to comply with HIPAA;
- Result in an early and favorable termination of an HHS audit of HIPAA compliance; and
- Mitigate remedies that would otherwise be required by HHS in an agreement to resolve potential HIPAA Security Rule violations.
What are Recognized Security Practices
“Recognized security practices” are defined as “the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act (“NIST”), the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” Taken together, these are primarily best practices standards for information security put out by NIST periodically and are largely non-binding. The standards under 405(d) of the Cybersecurity Act are specific to the healthcare industry. Even though not usually binding (other than on the federal government), they often inform the security practices of various organizations.
Notably, consistent with HIPAA Security Rule, the amendment does not mandate the adoption of any particular standard. HIPAA expressly allows covered entities and business associates to decide what recognized security practices are best suited for their organization, consistent with the requirements of the HIPAA Security Rule the size of the organization and other factors. In addition, covered entities and business associates will not face liability for not adopting the NIST standards.
Takeaway
Self-insured group health plans, and the business associates vendors that act in support of the group health plan should consider, during its periodic security risk assessment, adopting a robust cybersecurity framework, not only as a defense to possible regulatory enforcement after a data breach occurs, but also to lower the risk of a data breach in the first place. Given this recent change in the law, the NIST standards may be a good place to start.
If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.
NOTICE OF DISCLAIMER
The information herein is intended to be educational only and is based on information that is generally available. HUB International makes no representation or warranty as to its accuracy and is not obligated to update the information should it change in the future. The information is not intended to be legal or tax advice. Consult your attorney and/or professional advisor as to your organization’s specific circumstances and legal, tax or other requirements.