On April 4, 2022, the U.S. Department of Health and Human Services (HHS) released a seeking input from HIPAA-covered entities and business associates on how the industry understands and is implementing what are defined as “recognized security practices” under the HITECH Act. The Request for Information (RFI) also asks for industry input on how individuals that have been harmed by violations of the HIPAA Rules should be compensated.
The HITECH Act was to require HHS to take into consideration “recognized security practices” of covered entities and business associates that were in place for the previous 12 months when determining fines, audit results, or other remedies for resolving potential violations of the HIPAA Security Rule. The HITECH Act does not require covered entities and business associates to implement “recognized security practices” but does require that recognized security practices be consistent with the HIPAA Security Rule. The security practices, to be considered by HHS, must adhere to the following definition of “recognized security practices” under the amended HITECH Act:
