HHS Requirement for Security Practices NIST

In January of 2021, the Department of Health and Human Services issued an amendment to the Health Information Technology for Economic Clinical Health (HITECH) Act regarding certain security practices of covered entities and business associates. They define adequate security practices as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

This amendment allows for the Department of Health and Human Services to consider adequate security practices when determining potential violations of the HIPAA Security Rule by covered entities or business associates. More and more, we are seeing this become common practice across many laws, including privacy law enforcement worldwide, as numerous enforcement actions from the Federal Trade Commission and abroad have demonstrated that those organizations that have not shown any signs of compliance or the implementation of adequate security and privacy practices will face greater fines and penalties.

About the Author

Debbie Zaller

Debbie Zaller is Chief Operating Officer at Schellman. Debbie is responsible for maintaining and driving operational results and executing the firm's strategic goals. Debbie oversees all daily operations of the firm while spearheading the development, communication and implementation of effective growth strategies and processes. Debbie has over 21 years of IT compliance and attestation experience. Debbie led the firm's Midwest, Southeast, and Northeast regions along with the national service lines of SOC 2 and Privacy service lines as Managing Principal before assuming the position of COO in 2021. Debbie holds a Master of Accounting degree from the University of Florida. She is a Certified Public Accountant, Certified Information Privacy Professional/United States, Certified Data Privacy Solutions Engineer, Certified Information Systems Security Professional, Certified Information Systems Auditor, and Certified Cloud Security Knowledge. She is currently an AICPA-approved and nationally listed SOC Specialist and speaker on various privacy topics. Debbie was on the AICPA Task Force for the Advanced SOC for Certification Exam, was a member of the Florida Institute of Certified Public Accountants Board of Governors and served on the Finance and Office Advisory Committee.

More Content by Debbie Zaller
Previous Flipbook
Corcentric Case Study
Corcentric Case Study

New Acquisitions Prove No Problem for Corcentric, Who Continue to Roll in Compliance

Next Video
Its HIPAA Time
Its HIPAA Time