OR WAIT null SECS
H.R. 7898, signed into law on January 5, 2021, addresses the recognition of security practices and amends the HITECH Act – kind of.
As the hockey great Wayne Gretzky relayed, “I skate to where the puck is going to be, not where it has been.”
These words were relayed to Gretzky by his father and they are equally applicable to cybersecurity management – look to the future to stay ahead of the curve. An article that recently read mentioned “four lines of sight” that should be used throughout a business cycle:
Let’s apply these concepts to H.R. 7898, which was signed into law on January 5, 2021, which addresses the recognition of security practices and amends the HITECH Act – kind of.
H.R. 7898 amended the HITECH Act (42 U.S.C. §17931, et seq. by adding Section 13412:
(a) In General.—Consistent with the authority of the Secretary under sections 1176 and 1177 of the Social Security Act, when making determinations relating to fines under such section 1176 (as amended by section 13410) or such section 1177, decreasing the length and extent of an audit under section 13411, or remedies otherwise agreed to by the Secretary, the Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may—
(b) Definition And Miscellaneous Provisions.—
The express language of the amendments highlight the nexus between the recognized security practices, NIST, and HIPAA. If we harken back to the Final Omnibus Rule (78 Fed. Reg. 5566, 5575, 5647 (Jan. 25, 2013), NIST is mentioned, along with HIPAA and the HITECH Act. If organizations would have applied the four concepts above to HIPAA and cybersecurity compliance, perhaps the following would have been gleaned:
In cybersecurity, as in life, a holistic approach, which includes reflecting on the past, being present today, and looking ahead to anticipate changes, trends, and threats, should be utilized. Failing to see “where the puck is going” can result in a losing strategy and increased risk for non-compliance with HIPAA and the HITECH Act.
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.