In 2021, the Health Information Technology for Economic and Clinical Health Act (HITECH) was amended to add “recognized cybersecurity practices” as a mitigating factor when determining fines, audits and remedies against covered entities and business associates for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Department of Health and Human Services now seeks public comment on what should be considered a recognized cybersecurity practice.

Covered entities and business associates should update their HIPAA compliance plans to incorporate the recognized cybersecurity practices, implement the identified security practices and ensure they have been actively and consistently used over the prior 12-month period of time to reduce the risk of HIPAA audits and fines.

See our recent alert for more details about this request for public comments, which are due June 6.