On January 5, 2021, President Trump signed into law legislation approved by the House Energy and Commerce Committee known as HR 7898. HR 7898, now law, requires the Department of Health and Human Services (HHS) to “incentivize” a covered entity’s or business associate’s cybersecurity best practices.
How We Get Chewed
Now when a business is under a HIPAA audit the HSS will be looking at whether the company has been following cybersecurity best practices for not less than the past 12 months. Here are what HR7899 classifies as best practices:
- Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
- The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
- Programs and practices that are developed in, recognized by, or set forth in federal laws other than HIPAA.
If these measures were in place, HHS can lower the amount of a fine and decrease the length and extent of an audit – aka if you are not doing these things your fine will be larger and your audit will be more intense for longer period of time.
If you do not already have a designated HIPAA compliance officer and ALL the proper documentation in place, then contact us for assistance.