HITECH Act Amendment and What It Means for Incentivizing Cybersecurity Safeguards

By CHHS Extern Emma Barbato

Ransomware attacks on healthcare organizations were up 50% in the third quarter of 2020. Since 2016, ransomware attacks on healthcare organizations has cost the healthcare system around 157 million dollars.  Because  many ransomware attacks count as Health Insurance Portability and Accountability Act (HIPAA) violations, all of this leads to a large potential for fines and risk assessments that can be quite costly for organizations. 2020 saw more penalties imposed on HIPAA covered entities (which include health plans, clearinghouses, and certain health care providers) and business associates by the Health and Human Services (HHS) Office for Civil Rights than any other year since the HHS was given the authority to impose financial penalties for HIPAA violations. As ransomware and data privacy breaches become more common place, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, Hitech amendment HR 7898, adopted in January 2020, attempts to incentive organizations to adopt NIST or other viable Cybersecurity safeguards that might prevent ransomware attacks on healthcare systems.

The HITECH amendment allows for organizations to mitigate fines from HIPPA violations by requiring that “recognized cybersecurity practices” be considered by the Secretary of HHS in determining any HIPAA fines, audit results or mitigation remedies. If an entity has adopted the NIST Cybersecurity Framework or HITRUST CSF for example, it will be taken into consideration when calculating fines related to security breaches. Adoption of security best practices will mitigate remedies that would otherwise be agreed between an entity and the HHS to resolve potential violations of the HIPAA Security Rule

The amendment allows covered entities and related organizations some flexibility when applying “recognized security practices.” The term is broad and refers not only to procedures developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act and 405(d) of the Cybersecurity Act of 2015, but also any other processes that address cybersecurity that are recognized through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.” Because the definition for “recognized security practices is broad it allows for scalability that takes into account the size, scope, and complexity of each organization. For many organizations this makes NIST a great jumping off point for creating a recognized cybersecurity prevention framework.

Based on the protection that the amendment provides, it makes sense for organizations that aren’t already implementing a NIST or other recognized framework to adopt or update their cybersecurity protocols. The HITECH amendment allows organizations to use their cybersecurity practices as a defense against HIPPA fines. While the amendment mainly benefits institutions attempting to mitigate some of the financial ramifications of a data breach, the upside for patients is that better security practices might lead to stopping ransomware attacks before they jeopardize valuable personal health information.