I guess HHS wants to be cool, so rather than having a press conference where people can ask embarrassing questions, they are going to release the proposed changes via a prerecorded video – sometime this summer. These new rules will apply to covered entities (like doctors) and business associates (like IT providers).
Part of what they are going to release is guidance of what regulators are going to consider as recognized security practices when considering fining a health care entity. Possibly this will give entities a little more clarity on what the “floor” for cybersecurity might be.
An update to the HITECH law requires the government to review whether a entity or business associate demonstrated recognized security practices during the prior 12 months. The review could happen after a breach or during a compliance audit.
HHS says that this video will cover how entities will need to prove what recognized security practices they are following, information on what HHS means by these particular practices and the feedback they got when they asked for comment on those practices.
They said this video process will allow them to respond more quickly than using the rulemaking process, but unless last year’s legislation allows them to bypass the rulemaking process, I don’t see how this will speed things up.
While an update to HIPAA is a good thing, don’t expect anything to happen super quickly. Credit: Data Breach Today