Features Navigation

Live Chat (800) 825-0224 Live Demo

← Back

Congress Passes Amendment to HIPAA Regulations


Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.

Amidst all of the other events in Washington DC in January, a law was passed that amended the HIPAA Regulations. The amendment requires the department of Health and Human Services to take certain items into account during a HIPAA investigation. The text of the bill reads as follows:

when making determinations relating to fines under such section 1176 (as amended by section 13410) or such section 1177, decreasing the length and extent of an audit under section 13411, or remedies otherwise agreed to by the Secretary, the Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may—

‘‘(1) mitigate fines under section 1176 of the Social Security Act (as amended by section 13410);

‘‘(2) result in the early, favorable termination of an audit under section 13411; and

‘‘(3) mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title) between the covered entity or business associate and the Department of Health and Human Services.


‘‘(1) RECOGNIZED SECURITY PRACTICES.—The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title).

So, what does this mean?

Go to section 2(c)(15) of the National Institute of Standards and Technology Act

(15) on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure (as defined under subsection (e));

Putting all of this legalese into English. If you do a HIPAA security risk analysis, implement reasonable policies, procedures and an action plan to ensure you are doing everything you can to reduce the chance of a cyber security breach, then the government needs to take that into account and must mitigate any potential fines you may be facing.

Clients of TLD Systems have a HIPAA Security Manual which includes all of the factors listed in item (15) above. They also have access to training for their staff on the HIPAA rules and regulations and have an action plan to take steps to reduce the possibility of a cyber incident.

TLD Systems has a proven track record and to date not a single active client of TLD Systems has been fined for a HIPAA violation.

For more information, please visit TLD Systems at https://www.tldsystems.com.

Michael Brody, DPM
Dr Brody has been actively involved in Computers and Medicine since the 1980’s. Dr Brody as a Residency Director at a VA hospital on Long Island and was present as the VA moved from paper records to computerized records. During this time, he was exposed to the stringent rules and regulations that government employees need to adhere to when protecting patient information. He co-founded TLD Systems with Warren Melnick to create a platform that doctors who wish to work in private practice have a cost-effective method of implementing HIPAA compliance in their practices in a manner that does not interfere with their ability to practice medicine. He has served on the Health Information Technology Standards Panel (HITSP), the Standards and Interoperability Framework (S&I), as a member of the Ambulatory Care Committee at the Certification Commission on Health Information Technology (CCHIT), and numerous other organizations. He is currently a member of the Physicians Committee at the Healthcare Information and Management Systems Society (HIMSS) and a co-Chair of the EHR workgroup at Health Level Seven International (HL7)

Topic: EMR/EHR

Other Resources Related to This Topic


7 Must-Have Technology Tools for Small & Independent Medical Offices

Medical technology has incredible potential to improve patient care, but much of the discussion about...


Electronic Health Records

Learn about the entire electronic health records and clinical product suite of AdvancedMD in this...


30-day Guide to Seeing More Patients without Working More Hours

We’ve all got the same number of limited hours in every day, but clinics that...

“The money I have invested in AdvancedMD is miniscule compared to the return. I have never been more efficient – ever – in my professional life as I am now.”

Jed Shay, MD
The Pain Care Center

Read the story  ›

“[Our] patients are very well-educated and well-informed, and they want to see results quickly. The practice has to run extremely efficiently and be accessible to them. The nice thing about [AdvancedMD] is it has allowed me to be more efficient both in and out of the office. Now I don’t have to come back into the office, which is great for my family and everything else. It saves me a lot of time – probably an hour a day on the three days I work in the second office.”

Keith Berkowitz, MD
Center for Balanced Health

Read the story  ›

“The best thing I ever did in private practice was getting AdvancedMD—it has liberated me.”

Estaban Lavato, MD
La Loma Medical Center

“Having integrated practice management and EHR is absolutely wonderful, you don’t have to flip back and forth between systems—all of your information is at hand when needed.”

Raju Raval, MD

Read the story  ›