In January 2021, an amendment to the HITECH Act was enacted by Congress that required the Secretary of the Department of Health and Human Services to consider the “Recognized Security Practices” that have been implemented by a HIPAA-regulated entity when making certain determinations in its enforcement actions.
The update to the HITECH Act does not create a safe harbor for HIPAA-regulated entities that invest in cybersecurity and implement Recognized Security Practices, but it does provide an incentive for doing so. The HHS’ Office for Civil Rights investigates all data breaches of 500 or more records and some data breaches where fewer records have been exposed. If potential violations of the HIPAA Security Rule are discovered, sanctions and penalties can be imposed, in line with the penalty structure detailed in the HITECH Act.
If a HIPAA-regulated entity can demonstrate they have implemented Recognized Security Practices and that they have been in place continuously for 12 months, they will be considered as a mitigating factor. If evidence is provided to OCR that demonstrates Recognized Security Practices are in place and have been continuously for 12 months, OCR will consider reducing financial penalties, and the extent of audits, investigations, and monitoring. Adopting Recognized Security Practices will not, however, exempt HIPAA-regulated entities from paying a financial penalty or implementing a corrective action plan.
After issuing a request for information from healthcare industry stakeholders, OCR has now published a video presentation in which Nick Heesters, senior advisor for cybersecurity at OCR, explains what Recognized Security Practices are, how OCR will consider these practices, and how HIPAA-regulated entities can demonstrate to OCR that they have been continuously in place for 12 months.
Heesters explained that the HITECH Act amendment gives HIPAA-regulated entities the flexibility to choose which Recognized Security Practices to implement and gives them control over the implementation process.
Heesters explained that OCR considers Recognized Security Practices to be one of the following:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework
- Section 405(d) of the Cybersecurity Act of 2015
- Other programs that address cybersecurity that are recognized by statute or regulation
Recognized Security Practices need to be implemented throughout the organization, including on workstations, mobile devices, and APIs. To ensure that this is achieved, HIPAA-regulated entities should maintain a comprehensive, up-to-date inventory of all IT assets, and ensure that Recognized Security Practices are implemented across the entire IT asset inventory.
In terms of demonstrating that Recognized Security Practices are in place, OCR is not limiting the types of evidence that can be provided. The types of evidence OCR suggested could be submitted include third-party risk assessments, policies and procedures demonstrating Recognized Security Practices are in effect, vulnerability scans, application screenshots, diagrams and narrative detail of implementation and use, and training materials regarding implementation and use. HIPAA-regulated entities are not obliged to provide evidence that Recognized Security Practices are in place, and the failure to provide evidence will not be an aggravating factor that will result in increased fines and other sanctions.