A new law passed in the last administration provides incentives for HIPAA covered entities and business associates to implement security compliance programs. The law provides that an entity’s security practices must be taken into account by the U.S. Department of Health and Human Services before HHS applies penalties to the entity. If the organization can demonstrate that it had recognized security practices in place for at least the 12 months prior to the incident, HHS may mitigate fines and penalties.
“Recognized security practices” include guidelines, standards, procedures and processes developed under: NIST, the Cybersecurity Act of 2015, and other statutory programs that address cybersecurity.
This new law should encourage business associates and covered entities to implement security practices and procedures based on current cybersecurity guidance.