The legislation defines “recognized security practices” as the standards, best practices, methodologies, procedures, and processes developed by the National Institute of Standards and Technology Act (NIST) and the Cybersecurity Act of 2015.
A version of this article was first published January 12, 2021, by HCPro's Revenue Cycle Advisor, a sibling publication to HealthLeaders.
President Donald Trump signed H.R. 7898 into law on January 5, amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to require the Health and Human Services secretary to consider certain recognized security practices of covered entities (CE) and business associates (BA) when taking enforcement actions.
Under the legislation, HHS must take into account whether the CE or BA has used industry-standard cybersecurity practices for at least 12 months as it makes determinations relating to fines stemming from cybersecurity incidents.
If the CE or BA can show that it has been using industry-standard practices for the required 12 months, early and favorable termination of audits and/or the mitigation of fines and penalties may follow.
The legislation defines “recognized security practices” as the standards, best practices, methodologies, procedures, and processes developed by the National Institute of Standards and Technology Act (NIST) and the Cybersecurity Act of 2015.
Each CE and BA shall determine the security practices that best fit its organization, consistent with the HIPAA Security Rule.
Revenue Cycle Advisor combines all of HCPro's Medicare regulatory and reimbursement resources into one handy and easy-to-access portal. News is not just repeated from other sources. It is analyzed by our Medicare experts so professionals can comprehend any new rule and regulatory updates thoroughly. Learn more.