HITECH Act penalties may be reduced for organizations meeting standard security practices

President Donald Trump signed H.R. 7898 into law on January 5, amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to require the Health and Human Services secretary to consider certain recognized security practices of covered entities (CE) and business associates (BA) when taking enforcement actions.

Under the legislation, HHS must take into account whether the CE or BA has used industry-standard cybersecurity practices for at least 12 months as it makes determinations relating to fines stemming from cybersecurity incidents. If the CE or BA can show that it has been using industry-standard practices for the required 12 months, early and favorable termination of audits and/or the mitigation of fines and penalties may follow.

The legislation defines “recognized security practices” as the standards, best practices, methodologies, procedures, and processes developed by the National Institute of Standards and Technology Act (NIST) and the Cybersecurity Act of 2015. Each CE and BA shall determine the security practices that best fit its organization, consistent with the HIPAA Security Rule.