In January of 2021, the Department of Health and Human Services issued an amendment to the Health Information Technology for Economic Clinical Health (HITECH) Act regarding certain security practices of covered entities and business associates. They define adequate security practices as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”
This amendment allows for the Department of Health and Human Services to consider adequate security practices when determining potential violations of the HIPAA Security Rule by covered entities or business associates. More and more, we are seeing this become common practice across many laws, including privacy law enforcement worldwide, as numerous enforcement actions from the Federal Trade Commission and abroad have demonstrated that those organizations that have not shown any signs of compliance or the implementation of adequate security and privacy practices will face greater fines and penalties.
About the Author
More Content by Debbie Zaller