The penalties for failing to observe HIPAA’s security rules can be severe. Recent legislation may cushion the impact of those penalties for covered entities making a good faith effort to comply the HIPAA rules.
The legislation amends the HIPAA HITECH Act and directs the Secretary of Health and Human Services to take account of a covered entity’s compliance with “recognized security practices” when auditing the covered entity, assessing penalties, or imposing remedies for violation of HIPAA’s security rules.
This directive applies with respect to covered entities that have adequately demonstrated that, for not less than the previous 12 months, they have had “recognized security practices” in place.
Recognized security practices are the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. The law further states that such practices shall be determined by the covered entity consistent with the HIPAA Security Rule.
What This Means for Health Plans
The Cybersecurity Act of 2015 is primarily concerned with health care providers, and is not expressly geared to HIPAA generally or health plans in particular. However, NIST published “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.”
The NIST Guide prescribes a rigorous and formal process of risk analysis, mitigation, implementation, and review. We anticipate the government will issue regulations that expand on actions a health plan must take to benefit from relief provided in the law. It is also unclear when the 12-month demonstration of compliance period begins to run. However, health plans that have not yet done much to address their obligations under the HIPAA security rules should consider taking advantage of this opportunity sooner rather than later to mitigate exposure for Security Rule violations.