HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021.  This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA). 

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule. 

The HIPAA Security Rule already requires covered entities and business associates to implement appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI) but it does not specify those safeguards. This Amendment recognizes certain safeguards and provides benefits to covered entities and business associates who implemented them.  The Amendment defines “recognized security practices” to mean:

  • the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act,
  • the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and
  • other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.

Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule. 

The Amendment does not permit HHS to fine a covered entity or business associate, nor to increase fines, merely due to choosing not to engage in “recognized security practices”. Likewise, the Amendment does not prevent HHS from imposing fines if the administrative, physical and technical safeguards implemented by the covered entity or business associate were lacking or not appropriate, or if there was a data breach due to a lack of appropriate safeguards.  On the other hand, a covered entity or business associate who has experienced a data breach resulting from a cyber attack could benefit from reduced fines if these recognized security measures were in place.

The Amendment is to be effective retoactively to December 13, 2016, the effective date of The 21st Century Cures Act.   

CMS Issues COVID-19 Related Extension of the Deadline for Hospitals to Implement Electronic Patient Event Notifications

by Margaret Young Levi and Kathie McDonald-McClure

Last year, we wrote about the CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications” in which CMS proposed new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital to send electronic event notifications to primary care or post-acute care providers identified by the patient when a patient has been admitted, discharged, or transferred (ADT Notifications).  ADT Notifications are an outgrowth of the 21st Century CURES Act passed by a bi-partisan majority of Congress and signed into law on December 13, 2016 (CURES Act). The CURES Act contains aggressive goals to promote the interoperability of electronic health records and patient access to their health information.

The objective of ADT Notifications is to improve care coordination and patient outcomes. These ADT Notifications are to be integrated into either the hospital’s interoperable certified electronic health record technology (CEHRT) or other electronic administrative system such as a registration system. An ADT Notification will be required when the patient is:

  • registered in the Emergency Department (ED) or as an observational stay;
  • admitted to the hospital (regardless if the patient was admitted from the ED, from an observation stay, or as a direct admission from home, from their practitioner’s office, or as a transfer from some other facility);
  • transferred from the ED or inpatient care; or
  • discharged from the ED, observational stay or inpatient services unit.
Continue reading