HHS Requirement for Security Practices NIST

In January of 2021, the Department of Health and Human Services issued an amendment to the Health Information Technology for Economic Clinical Health (HITECH) Act regarding certain security practices of covered entities and business associates. They define adequate security practices as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

This amendment allows for the Department of Health and Human Services to consider adequate security practices when determining potential violations of the HIPAA Security Rule by covered entities or business associates. More and more, we are seeing this become common practice across many laws, including privacy law enforcement worldwide, as numerous enforcement actions from the Federal Trade Commission and abroad have demonstrated that those organizations that have not shown any signs of compliance or the implementation of adequate security and privacy practices will face greater fines and penalties.

About the Author

Debbie Zaller is a Principal at Schellman & Company, LLC. Debbie leads the SOC 2, SOC 3 and Privacy service lines and is also an AICPA-approved and nationally listed SOC Specialist. As practice leader she is responsible for internal training, methodology creation and quality reporting. Debbie also leads the firm’s Midwest market. Debbie has over 20 years of IT compliance and attestation experience. Debbie was on the AICPA Task Force for the Advanced SOC for Certification Exam, was a member of the Florida Institute of Certified Public Accountants Board of Governors and served on the Finance and Office Advisory Committee.

More Content by Debbie Zaller