HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021.  This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA). 

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule. 

The HIPAA Security Rule already requires covered entities and business associates to implement appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI) but it does not specify those safeguards. This Amendment recognizes certain safeguards and provides benefits to covered entities and business associates who implemented them.  The Amendment defines “recognized security practices” to mean:

  • the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act,
  • the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and
  • other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.

Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule. 

The Amendment does not permit HHS to fine a covered entity or business associate, nor to increase fines, merely due to choosing not to engage in “recognized security practices”. Likewise, the Amendment does not prevent HHS from imposing fines if the administrative, physical and technical safeguards implemented by the covered entity or business associate were lacking or not appropriate, or if there was a data breach due to a lack of appropriate safeguards.  On the other hand, a covered entity or business associate who has experienced a data breach resulting from a cyber attack could benefit from reduced fines if these recognized security measures were in place.

The Amendment is to be effective retoactively to December 13, 2016, the effective date of The 21st Century Cures Act.   

FBI Issues New COVID-19 Cyber Alert for Healthcare Providers on April 21, 2020

On April 21, 2020, the American Hospital Association alerted its members that the Federal Bureau of Investigations (FBI) had issued an FBI Flash to update healthcare providers on additional cyber activity* that continues to exploit fears related to the COVID-19 pandemic. The FBI stated that it had been notified of targeted email phishing attempts against US-based medical providers. The phishing attempts use subject lines and content related to COVID-19 and distribute malicious attachments. Individuals or companies receiving email with unsolicited attachments that may be a phishing attempt should NOT open the email or email attachment if the individual or the company does not have the capability to examine the attachment in a controlled and safe manner.

FBI Alert provides technical details. The FBI Flash provides technical details about the phishing campaign to assist individuals and company IT personnel in identifying the malicious emails. The technical details include a list of email senders, email subject lines, attachment file names and hashes related to the phishing attempts.

The FBI Requests Assistance to Respond to the Threat. To assist in the FBI’s response to the COVID-19 phishing campaign, the targeted individual, or his or her company, is being asked to:

Continue reading

HHS Office for Civil Rights Issues Telehealth HIPAA Guidance during COVID-19 Emergency

On March 17, 2020, the Office for Civil Rights (“OCR”), the agency within the Department of the United States Health & Human Services (“HHS”) responsible for enforcement of HIPAA, issued the following guidance: “Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency.” Pursuant to Telehealth regulatory waivers issued by the HHS Centers for Medicare & Medicaid Services (“CMS”) effective during the COVID-19 Public Health Emergency (“PHE”), providers can use telehealth at any location including in a patient’s home. As more fully explained in its Telehealth Fact Sheet March 17, 2020, HHS stated:

“The provider must use an interactive audio and video telecommunications system that permits real-time communication between the distant site and the patient at home. …  It is imperative during this public health emergency that patients avoid travel, when possible, to physicians’ offices, clinics, hospitals, or other health care facilities where they could risk their own or others’ exposure to further illness.” Continue reading

Healthcare CIOs Face Cyber Risk: Internet Explorer Gives Hackers Total Access (Microsoft Issues Patch)

Microsoft's IE browser allows hackers to get keys for total access to otherwise secured data

Updated May 1, 2014 at 5:30 pm

The old weather proverb about March, in like a lion and out like a lamb, hit April in the reverse in the world of cyber security.  While the first six days of April seemed relatively calm in the cyber world, on Monday, April 7, 2014, the Heartbleed flaw in encryption security was announced (see our previous post here).  As of April 26, 2014, the month was still roaring like a lion with yet another newly discovered cyber security threat to Internet Explorer (IE), first announced by FireEye Research Labs.  Microsoft quickly confirmed the flaw on its Security TechCenter webpage.   Today, May 1, 2014, Microsoft released a critical security update announcing a patch for all versions of Microsoft IE, including XP, which have the vulnerable flaw.  This patch, which fixes the vulnerability discussed further in this article, should be immediately installed.

IE’s Vulnerability Dubbed “Operation Clandestine Fox.”  FireEye named the flaw “Operation Clandestine Fox” for a couple of reasons.  One is that hackers are already exploiting the vulnerability in an active “campaign.”  Further, FireEye said the exploits are “clandestine” because the hackers lure computer users to malicious web code, like a “fox” who lures prey to a watering hole and then moves in for the kill.

With the IE vulnerability, the hacker can use Adobe Flash content, a popular website or an email to bait the computer user to click on malicious HTML code.  This allows the hacker to download the malicious software to the user’s computer.  Once downloaded, the hacker gains access to the user’s computer and can then gather the information needed to access other programs and networks accessed by the user.  Such access can include otherwise secure servers, databases and networks.  The risk has been perceived as sufficiently significant to prompt the U.S. Department of Homeland Security to issue a security advisory to its CERT Vulnerability Alerts Database webpage.  Microsoft and Homeland Security are updating their advisories almost daily, requiring daily, if not hourly, vigilance on the part of Chief Information Officers (CIOs) in developing a responsive action plan.

HIPAA Security Rule Compliance: Develop An Action Plan. CIOs should immediately assess newly identified cyber security vulnerabilities posed to its networks and develop an action plan to address them.  The risk assessment should include an evaluation of how confidential electronic data is accessed by others such as employees, medical staff, patients, and third-party vendors.  Ensuring security is especially critical for those who can remotely access your organization’s electronic health record system. Continue reading