HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021.  This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA). 

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule. 

The HIPAA Security Rule already requires covered entities and business associates to implement appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI) but it does not specify those safeguards. This Amendment recognizes certain safeguards and provides benefits to covered entities and business associates who implemented them.  The Amendment defines “recognized security practices” to mean:

  • the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act,
  • the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and
  • other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.

Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule. 

The Amendment does not permit HHS to fine a covered entity or business associate, nor to increase fines, merely due to choosing not to engage in “recognized security practices”. Likewise, the Amendment does not prevent HHS from imposing fines if the administrative, physical and technical safeguards implemented by the covered entity or business associate were lacking or not appropriate, or if there was a data breach due to a lack of appropriate safeguards.  On the other hand, a covered entity or business associate who has experienced a data breach resulting from a cyber attack could benefit from reduced fines if these recognized security measures were in place.

The Amendment is to be effective retoactively to December 13, 2016, the effective date of The 21st Century Cures Act.   

CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications”

By Kathie McDonald-McClure and Margaret Young Levi

Doctor Speaking with Patient

Summary: CMS proposes new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital EHR to send electronic event notifications to post-acute care providers when a patient has been admitted, discharged, or transferred.  What must hospitals do, and how much time is needed, to operationalize the new CoPs, considering a process will need to be developed that identifies providers who should and can receive these event notices? What will be required, and how much time is needed, to reconfigure EHRs to send the notifications and demonstrate compliance with the multiple facets of the CoP?  Will PAC providers be obligated to operationalize the receipt and use of these notifications under the IMPACT Act?  CMS is seeking stakeholder input on its proposal, including a reasonable time frame for implementation. Comments are due June 3, 2019.* Continue reading

New HIPAA Auditing Process Begins – Are You Ready?

audit checklistThe Department of Health and Human Services’s Office for Civil Rights (OCR) announced last week that it has launched Phase 2 of its HIPAA Audit Program. Under this Audit Program, OCR will review whether entities subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Data Breach Notification regulations are complying with those regulations.  OCR has already begun to send initial emails to “covered entities” and “business associates” (defined in the HIPAA regulations) regarding the audits that seek to verify contact information.

Tip:  These emails may be incorrectly classified as spam by corporate or email filters.  OCR expects covered entities and business associates to check spam and junk email folders for emails from OCR.

WarningSophisticated cybercriminals could use the OCR audits as an opportunity to send fake OCR emails (“phishing emails”) in an attempt to trick employees into turning over individual health information or to click on links that download harmful malware into the organization’s computer network.  Do not click on links or supply any documentation until Continue reading

Stages 1, 2, And Now 3, Meaningful Use Criteria

The Centers for Medicare & Medicaid Services (“CMS”) proposed Meaningful Use criteria to implement Stage 3 and allow eligible professionals, eligible hospitals and critical access hospitals (“CAHs”) to qualify for incentive payments (or avoid downward payment adjustments) under the Medicare and Medicaid Electronic Health Record (EHR) Incentive Program implemented by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009. stethoscope, keyboardThen CMS made changes to Stage 1 and Stage 2 Meaningful Use criteria to better align with the proposed Stage 3 criteria just two weeks later.

On March 30, 2015, CMS published a long-awaited proposed rule which, if finalized, would implement Stage 3, making changes to the objectives and measures of meaningful use for providers effective in Continue reading

April 1 Deadline for Hospitals to Earn EHR Incentives

The Centers for Medicare & Medicaid Services (CMS) reminds hospitals that 2015 is the last year for eligible hospitals to begin participating in the Medicare Electronic Health Record (EHR) Incentive Program and earn incentive payments.

In order to earn a 2015 incentive payment, be eligible for a 2016 incentive payment, and avoid a 2016 payment reduction (called an “adjustment”), first-time hospital participants should:

  • Begin their 90-day reporting period no later than April 1, 2015 and
  • Attest by July 1, 2015.

Eligible hospitals that do not start their 90-day reporting period on April 1, 2015 have one last chance to earn a 2015 incentive payment if they begin their reporting period by July 1, 2015 and attest by Continue reading