HHS Requirement for Security Practices NIST

Debbie Zaller

In January of 2021, the Department of Health and Human Services issued an amendment to the Health Information Technology for Economic Clinical Health (HITECH) Act regarding certain security practices of covered entities and business associates. They define adequate security practices as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

This amendment allows for the Department of Health and Human Services to consider adequate security practices when determining potential violations of the HIPAA Security Rule by covered entities or business associates. More and more, we are seeing this become common practice across many laws, including privacy law enforcement worldwide, as numerous enforcement actions from the Federal Trade Commission and abroad have demonstrated that those organizations that have not shown any signs of compliance or the implementation of adequate security and privacy practices will face greater fines and penalties.

About the Author

Debbie Zaller is Chief Operating Officer at Schellman. Debbie is responsible for maintaining and driving operational results and executing the firm's strategic goals. Debbie oversees all daily operations of the firm while spearheading the development, communication and implementation of effective growth strategies and processes. Debbie has over 21 years of IT compliance and attestation experience. Debbie led the firm's Midwest, Southeast, and Northeast regions along with the national service lines of SOC 2 and Privacy service lines as Managing Principal before assuming the position of COO in 2021. Debbie holds a Master of Accounting degree from the University of Florida. She is a Certified Public Accountant, Certified Information Privacy Professional/United States, Certified Data Privacy Solutions Engineer, Certified Information Systems Security Professional, Certified Information Systems Auditor, and Certified Cloud Security Knowledge. She is currently an AICPA-approved and nationally listed SOC Specialist and speaker on various privacy topics. Debbie was on the AICPA Task Force for the Advanced SOC for Certification Exam, was a member of the Florida Institute of Certified Public Accountants Board of Governors and served on the Finance and Office Advisory Committee.
More Content by Debbie Zaller

Return to Home

Stay up to date and discover new insights into compliance through our team’s thought leadership

HHS Requirement for Security Practices NIST

About the Author

Previous Article

Next Article

HHS Requirement for Security Practices NIST

About the Author

Previous Article

Next Article

Most Recent Articles

Every auditor needs technical expertise, but at Schellman, to truly achieve our "Quality Above All" mission, we believe soft skills are just as important to anyone looking to succeed in this field.

Protecting personally identifiable information (PII) in your charge is paramount to keeping your customers' trust. We provide 6 steps that can help decrease the likelihood of a breach & keep PII safe.

Introducing our new Head of Client Acquisition--welcome to Schellman, Jay Wager!

Which facet of the CSA STAR Program is right for your organization? We break down the basics, as well as the pros and cons, of both the Certification and Attestation to help inform your decision.

If you're gearing up for an internal pen test, learn exactly what you're in for and how you can streamline your preparation by making 2 key decisions ahead of time. Famous detectives throughout

Introducing Craig Kallin as our new Chief Marketing Officer--welcome, Craig!

Violations of HIPAA can carry heavy civil or criminal penalties (or both!). Don't be caught out--we break down the different tiers of violations & penalties so you understand clearly what's at stake.

Not sure if you need the privacy category in your SOC 2? Put that confusion to rest as we detail the advantages and drawbacks of such, along with some alternatives that may suit your needs better.

Not sure if you have the time to fit in a PCI SSLC assessment? We break down how long these evaluations take so that you can set clearer expectations for the necessary resources.

Need a HITRUST assessor and not sure how to choose among your options? We walk you through their role and provide 4 crucial questions to ask during your vetting process.

Getting ready for your penetration test with Schellman's team? Here are 6 common issues you'll want to avoid so that your testing isn't delayed and goes as smoothly as possible.

Schellman's 10% 401(k) match ranks high within our benefits package. Find out why this unparalleled match holds so much value for our employees who are focused on their futures.

Concerned about the hefty fines for violating HIPAA? We define what a violation is, common examples, who can be affected by the consequences of such, and how to avoid all this in the first place.

Not sure what to look for when vetting audit firms? We break down 5 factors that should play a big part in your final decision in choosing someone to provide you with compliance services.

Curious about the CSA STAR Program or how its certification works together with ISO 27001? We answer basic questions on the relationship between the two so that you understand if CSA STAR is right for

Not sure if an update you've made is a "significant change?" We overview PCI DSS's definition of such while also providing examples of significant changes to help your environment stay in compliance.

Curious about Schellman's pen test capabilities? Read about what you can expect from our experienced team of pen testers during an engagement, including details on our qualifications & deliverables.

Not sure how to determine whether your vendor is a subservice organization? We provide all the details you need to tell the difference ahead of your next SOC examination.

The guidance within NIST SP 800-53 affects many different kinds of organizations. To help you clarify if you're one of them, we detail the latest revision of 800-53 provides and whom it affects.

Wondering what to expect in your pricing discussions for a PCI SSLC assessment? We break down baseline price ranges as well as what factors unique to your organization will affect your final number.