Healthcare providers and business associates must meet clear, specific criteria to benefit from this law
On January 5, 2021, an innovative amendment of the HITECH Act of 2009 was signed into law as H.R. 7898, also known as Public Law 116-321, and less formally known simply as the HITECH Amendment. Its purpose is to encourage healthcare providers and business associates to adopt recognized security practices voluntarily and proactively in their organizations in order to better safeguard protected health information (PHI/ePHI).
To accomplish that purpose, the new law empowers the HHS Office for Civil Rights to (1) reduce civil money penalties imposed on HIPAA violators, (2) reduce the scope and duration of related OCR audits, and (3) reduce the terms of the related violation settlement agreements and corrective action plans for HIPAA violators who have met the law’s requirements.
This is Not a Safe Harbor Law
An important H.R. 7898 clarification addresses the early misconception that H.R. 7898 is a Safe Harbor law, which it is not. Just two months prior to the enactment of H.R. 7898, HHS published revised Safe Harbor provisions for the Anti-Kickback Statute and the Civil Monetary Penalty Rules Regarding Beneficiary Inducements, which may have contributed to this misconception.
According to the HHS Office for Civil Rights, the HITECH Amendment provides for the mitigation of civil money penalties and the remedies offered to resolve potential Security Rule violations. This is not the same thing as a “safe harbor” or immunity from liability.
“Regulated entities should not interpret the HITECH Amendment to mean that if they implement recognized security practices, they cannot be held responsible for potential Security Rule violations.”
Two Basic Requirements of H.R. 7898
For an organization to qualify for leniency under H.R. 7898, their recognized security practices must meet the following two basic requirements, for starters:
- They must have been adopted at least 12 months prior to the attack, data breach, or other security incident that was reported to the OCR per HIPAA Breach Notification Rule requirements, and
- They must be clearly based on one of three accepted industry sources: the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the 2015 Cybersecurity Act section 405(d), or certain other accepted sources, such as HITRUST CSF as an example.
Other Points of H.R. 7898 Clarification
Adoption Leads to Compliance. Implementing recognized security practices delivers a significant benefit to the organization in meeting HIPAA Security Rule requirements. The NIST Cybersecurity Framework and the HITRUST CSF, as two examples, incorporate Security Rule requirements into their frameworks, which in turn achieves compliance for organizations fully implementing them. In the long run, complete compliance is much less costly than partial compliance.
Does Not Prohibit Penalties for Violations. H.R. 7898 does not prohibit the OCR from continuing to impose the appropriate fines and penalties its charter allows. It simply requires that, when a HIPAA-regulated entity has voluntarily adopted recognized security practices according to all specifications, and then experiences a data breach 12 months later (or more), the OCR must take that voluntary adoption into consideration in the course of its investigation and settlement work.
Choosing Not to Adopt RSPs is OK. The new law does not in any way penalize organizations who choose not to adopt recognized security practices, regardless of how actively the OCR encourages their implementation.
Additional Requirements of the HITECH Amendment
Nick Heesters, senior cybersecurity advisor for the Office for Civil Rights, narrated an informative video in November 2022 which updates and clarifies the new law for healthcare organizations and business associates. According to the video, the OCR has been actively taking H.R. 7898 into consideration in their investigations since 2021, the year it was signed into law.
In addition to the two basic requirements of H.R. 7898 described above, the recognized security practices implemented by an organization must meet these criteria in order to qualify for OCR consideration:
- Plans to implement recognized security practices (RSPs) at a future date are not evidence of implementation. The OCR needs to see evidence that RSPs are actively and consistently in use throughout the organization and have been for the previous 12 months.
- Merely having written recognized security practices, absent actual implementation of the practices, is not sufficient. Implementation means the practices have been disseminated to necessary workforce members, and the practices are actually being used by the organization. A binder of RSPs sitting on a bookshelf doesn’t demonstrate that they have been implemented.
- Recognized security practices should be implemented throughout the organization. For example, it is not sufficient to implement RSPs for one workstation, one application, or a narrow slice of an organization. The exception is that certain elements of RSPs may be tailored to combat specific threats or to target specific technologies within an organization, and as such may not be applicable to the entire organization. It is incumbent upon the organization to make the case for such exceptions.
How the OCR Applies H.R. 7898 in its Investigations
The OCR has a clear process for implementing H.R. 7898 during the course of its work in monitoring HIPAA compliance and healthcare cybersecurity. This may occur in its random audits of HIPAA Security Rule compliance, or in its investigations into potential violations of the Security Rule, which are typically resolved with a settlement agreement and corrective action plan. Investigations may be triggered by employee or patient complaints, or by an organization reporting a data breach to the OCR, as required by law.
The OCR Data Request. The OCR process begins when the agency invites the organization who is being audited or investigated to voluntarily present evidence that they have implemented recognized security practices in accordance with H.R. 7898 requirements. This invitation is in the form of a data request sent to the organization.
Purposes of the Data Request. The OCR data request serves these three important purposes:
- It notifies the organization about the HITECH amendment (H.R. 7898) and the benefits an organization can receive by implementing recognized security practices. This increases awareness of the law for those who have not implemented RSPs.
- For organizations who have implemented RSPs, the data request provides written notice that they have the opportunity to present evidence of that implementation for the OCR to consider as a mitigating factor in its audit or investigation.
- The data request also offers suggestions as to how the organization can best present evidence demonstrating that it has implemented the RSPs. The suggestions are not inclusive, and an organization may provide any evidence it chooses to adequately demonstrate that it has implemented RSPs and met the criteria.
Acceptable Documentation. The OCR will accept a variety of documentation as evidence of RSP implementation, including contracts, statements of work, invoices, project plans, meeting notes and minutes, policies and procedures, system and application screen shots, configuration and log files, and diagrams and narrative details of implementations, as a few examples cited in the OCR video.
OCR Data Request Specifics. The data request requires the organization to identify which RSP has been implemented, to aid the OCR in evaluating H.R. 7898 applicability. Again, the three acceptable sources of recognized security practices are the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the 2015 Cybersecurity Act section 405(d), and certain other sources, such as HITRUST CSF, as one example.
- If an organization has implemented the NIST CSF, the data request asks for evidence supporting implementation of the framework’s specific categories and subcategories.
- If the Cybersecurity Act of 2015 section 405(d) was implemented, the data request asks for enumeration of the specific cybersecurity practices and sub-practices that were implemented.
- If an organization has implemented RSPs from another accepted source, they will need to be cited specifically, including the cybersecurity controls implemented.
Use of IT Asset Inventory. The OCR requires details related to the organization-wide implementation of RSPs, and maintaining an accurate inventory of IT assets makes a valuable contribution to that level of detail. Examples may include servers, workstations, mobile devices, APIs, and other devices or software. As previously noted, an organization is not expected to implement recognized security practices that don’t apply to them. For instance, if a company has no medical devices, cybersecurity practices directed specifically at medical devices are not applicable.
Summary
In concluding the video clarifying H.R. 7898, the OCR senior cybersecurity advisor emphasizes that properly implementing recognized security practices “is a great way to bolster a regulated entity’s cyber-defenses” since many elements in the RSPs meet requirements of the HIPAA Security Rule. This assists organizations in achieving and maintaining compliance with the Security Rule, as mandated by HIPAA.
Adding to that argument, the HITECH Amendment offers a further incentive for RSP implementation by requiring the OCR to consider “the RSPs that a regulated entity has had in place for the previous 12 months when determining civil money penalties, audits, and other remedies such as resolution agreements that resolve potential HIPAA Security Rule violations.”
The advantages of implementing recognized security practices under H.R. 7898 are compelling, and the HHS Office for Civil Rights encourages and supports healthcare providers and business associates in making RSPs part of their cybersecurity program. Otherwise, don’t look for any leniency after your next HIPAA violation complaint, security incident, or data breach.