The HHS’ Office for Civil Rights has issued guidance on Recognized Security Practices, how they must be implemented, and how HIPAA-regulated entities can prove they are in place and have been for at least 12 months.
In January 2021, Congress enacted an amendment to the HITECH Act that required the Secretary of the HHS to consider the Recognized Security Practices that a HIPAA-covered entity or business associate has implemented when making certain determinations in its audits and investigations. If a HIPAA-regulated entity can demonstrate that Recognized Security Practices have been implemented across the entire enterprise and that those Recognized Security Practices have been continuously in place for at least 12 months, they will be considered as a mitigating factor and OCR will consider reducing any financial penalties and the extent of audits and investigations.
Some HIPAA-regulated entities have mistakenly taken the HITECH Act update to be a safe harbor, where financial penalties, investigations, and corrective action plans can be avoided if Recognized Security Practices are adopted. That is not the case. Financial penalties will be imposed in line with the penalty structure of the HITECH Act if violations of the HIPAA Rules are identified by OCR in its investigations of data breaches, complaints, and HIPAA compliance audits. If Recognized Security Practices have been implemented, a HIPAA-regulated entity will not be exempt from financial penalties and sanctions. The HITECH Act amendment also only applies to HIPAA Security Rule investigations and audits. Recognized Security Practices will not be considered for investigations and audits of HIPAA Privacy Rule or Breach Notification Rule compliance.
While HIPAA Security Rule compliance is mandatory, implementing Recognized Security Practices is voluntary. If Recognized Security Practices are not adopted, or if evidence that they have been implemented is not provided to OCR, this will not be considered an aggravating factor that will see penalties increased.
Following the HITECH Act update, OCR issued a request for information from HIPAA-regulated entities and other healthcare industry stakeholders about how proof of Recognized Security Practices could be provided. After considering the comments, OCR created a video presentation that explains how proof that Recognized Security Practices are in place can be provided. In the video, Nick Heesters, senior advisor for cybersecurity at OCR explained that HIPAA-regulated entities are able to choose what security practices to implement, that best suit their organization, and they have full control over how those security practices are implemented; however, OCR will only consider three categories of Recognized Security Practices:
- The National Institute of Standards and Technology (NIST) Framework;
- Section 405(d) of the Cybersecurity Act of 2015; or
- Other programs that address cybersecurity and are recognized by statute or regulation.
Should a HIPAA-regulated entity choose to implement Recognized Security Practices detailed in “other programs that address cybersecurity recognized by statute or regulation,” when providing evidence of Recognized Security Practices to OCR, HIPAA-regulated entities will be required to provide regulatory or statutory citations showing they were developed, recognized, or promulgated by statute or regulation.
When OCR is conducting an investigation or audit, OCR will invite the entity to voluntarily provide evidence by sending them a data request. That request will also serve to notify HIPAA-regulated entities that Recognized Security Practices are being considered. OCR will accept any evidence that can adequately demonstrate that Recognized Security Practices are in place and have been for 12 months, which could include third-party security audits, application screenshots, vulnerability scans, and relevant policies and procedures, and training material.
The video is essential viewing for all HIPAA-regulated entities and can be viewed on the HHS YouTube Channel.