HIPAA Penalty Changes

by  Wyn Staheli, Director of Research
January 11th, 2021

One of the ongoing problems facing healthcare organizations today is HIPAA breaches. Cyber attacks are occurring with increasing regularity and placing an even greater burden on already overwhelmed healthcare providers. Regardless of how many steps you take to try and prevent breaches, they happen. Unfortunately, the HITECH provisions don’t seem to consider that healthcare organizations who have been breached are often victims themselves. Those who have followed the rules should not be penalized the same as those who have not. A new law aims to correct that situation. 

On January 5, 2021, H.R. 7898 was signed into law by President Trump. This new law modifies the HITECH Act such that when an organization experiences a breach, fines and/or penalties may be reduced if (for at least a year) they have instituted “recognized security practices” as defined within the law. Additionally, there may also be reductions in the length of an audit. It should be noted that if the covered entity was NOT in compliance with these practices, HHS can NOT increase audit lengths, fines, and penalties.

The law defines “recognized security practices” as (emphasis added):

“... standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title)”

John Riggi, the American Hospital Association’s senior advisor for cybersecurity and risk stated that “The law provides the right balance of incentivizing voluntary, enhanced cybersecurity protocols in exchange for regulatory relief and recognition that breached organizations are victims, not the perpetrators.”

This new law is to be effective “as if included in the enactment of the 21st Century Cures Act (Public Law 114-255).” It should be noted that implementation of the 21st Century Cures Act was delayed again in relation to the COVID-19 Public Health Emergency. There are different implementation dates within the Cures Act for different provisions of the law. At the time of publication, it appears that the effective date for H.R. 7898 provisions will be April 5, 2021 when the information blocking and communication requirements take effect.

Since we are at the start of a new year, now is a great time to begin coming into compliance with HIPAA Security rules by starting with a Security Risk Assessment. You can download a free Security Risk Assessment Tool from HealthIT.gov to get started, but keep in mind that this is only one component of HIPAA Security requirements. See the References section below and innoviHealth’s Complete & Easy HIPAA Compliance publication for more information.

References:

HIPAA Penalty Changes. (2021, January 11). Find-A-Code Articles. Retrieved from https://www.findacode.com/articles/hipaa-penalty-changes-36773.html

© InnoviHealth Systems Inc

Article Tags  (click on a tag to see related articles)


Publish this Article on your Website, Blog or Newsletter

This article is available for publishing on websites, blogs, and newsletters. The article must be published in its entirety - all links must be active. If you would like to publish this article, please contact us and let us know where you will be publishing it. The easiest way to get the text of the article is to highlight and copy. Or use your browser's "View Source" option to capture the HTML formatted code.

If you would like a specific article written on a medical coding and billing topic, please Contact Us.


contact

innoviHealth Systems, Inc.
62 East 300 North
Spanish Fork, UT 84660
Phone: 801-770-4203 (9-5 Mountain)
Email:
free demo
request yours today
pricing
for any budget
sign IN
welcome back!

Thank you for choosing Find-A-Code, please Sign In to remove ads.