BLOG

Blog Post by Angela Fitzpatrick, ITRM Senior Manager at Meditology Services

---

On January 5, 2021, the President signed bill HR 7898 into law that amends the HITECH Act to require the Department of Health and Human Services and OCR to recognize and promote best practice security for meeting HIPAA requirements. Specifically, the new law incentivizes covered entities and business associates to adopt industry best practices including HITRUST CSF certifications and NIST CSF standards.

These changes introduce safe harbors for HIPAA compliance enforcement by OCR for healthcare entities that adopt certain “recognized security practices” including adoption and certification of the HITRUST CSF. Under the new law, OCR is required to consider the organization’s alignment with these best practices when determining civil money penalties and other regulatory enforcement actions.

Covered entities and business associates that achieve HITRUST certification therefore have a much stronger negotiation position when entering into settlement conversations with OCR related to breaches involving violations of the HIPAA Security Rule.

Organizations that are HITRUST CSF certified but still suffer breach events will be in the best position to lobby for reduced fines or eliminate them altogether depending on OCR’s discretion, which is now mandated to consider these factors. Organizations that adopt the HITRUST CSF as a foundation for policies, control implementation, and program reporting will also be in a better position to minimize federal enforcement actions.

This amendment represents an important shift in incentives for healthcare entities to adopt HITRUST, many of whom traditionally looked to HITRUST certification as a means to maintain related contractual mandates and establish programs that reduce enterprise cybersecurity risks and breach more generally. The added motivation to be able to influence HIPAA enforcement from OCR is likely to result in more covered entities and business associates making the leap into formal HITRUST CSF adoption and certification.

The bill also references adoption of the NIST CSF standard as evidence of compliance with cybersecurity best practices. NIST does not offer certification mechanisms to validate adoption of the NIST CSF, so entities will have to independently demonstrate meaningful adoption of the standard in order to sway OCR to consider reduced enforcement activity. This is one advantage that pursuing certification with HITRUST has over the adoption of the NIST CSF alone.

HITRUST offers an independent certification of an organization’s implementation of the NIST framework by establishing a Target Profile via HITRUST’s framework-based approach to risk analysis and assessing its Current Profile based on a HITRUST Validated Assessment. The HITRUST CSF is one of NIST’s Online Informative References and HITRUST controls are fully mapped to the NIST CSF Core Subcategories, which identify specific cybersecurity outcomes organizations should strive to achieve.

In fact, leveraging the HITRUST CSF is the central component of the Healthcare Cybersecurity Framework Implementation Guide developed under the auspices of the Critical Infrastructure Partnership Advisory Council, a private-public partnership sponsored by DHS.  It should also be noted that a 2018 GAO report on NIST CSF implementation also stated healthcare sector officials encourage alignment with existing cyber guidelines and specifically cited the HITRUST CSF as an example on how an organization can demonstrate ‘compliance’ with the NIST CSF.

The healthcare industry has long desired HIPAA safe harbors for organizations that demonstrate that they are doing all the right things from a security perspective prior to experiencing breach events. This new law may not go as far as some would like in that regard, but it certainly is a step in the right direction.

If you want to get ahead of this and start building your HIPAA safe harbor protection defensibility, you can reach out to our team here at Meditology and we can help you get started. We can support your organization’s alignment with these standards in order to demonstrate that you are implementing best practices and look to reduce the potential opportunities for financial penalties and other OCR related activity.