If you use “recognized security practices” to protect patient data, the Office for Civil Rights (OCR) may go easier on you in a HIPAA investigation or audit. On November 1, 2022 the HHS’ OCR released an educational video on recognized security practices (RSPs) under the HITECH Act to answer industry questions about implementation and liability.
Background on HITECH
HITECH, or Health Information Technology for Economic and Clinical Health Act, was part of the American Recovery and Reinvestment Act (ARRA) – an economic stimulus package designed to preserve jobs and stimulate infrastructure investments. HITECH also included incentives to spur technological advances in science and health.
Signed into law in 2009, HITECH promoted the adoption of electronic health records (EHR) and addressed privacy and security issues surrounding the electronic transmission of health information.
HITECH also:
- added the Breach Notification Rule,
- led to creation of the OCR Breach Portal,
- extended HIPAA liability to Business Associates, and
- strengthened penalties for non-compliance.
Flexibility in HIPAA Enforcement
In January 2021, Congress amended the HITECH Act and required HHS to consider certain recognized security practices (RSPs) that covered entities and business associates have had in place for the previous 12 months when making determinations regarding fines (called civil money penalties), audits, or other agreed-upon remedies, such as resolution agreements (italics added for emphasis).
OCR solicited comments on the HITECH amendment and the comment period closed on June 6, 2022. Regulators are still reviewing the comments, but in the meantime issued the video to answer some questions.
OCR Uses a Carrot, Not a Stick
The amendment gave covered entities and business associates incentives for adopting recognized security and privacy controls by offering reduced fines and other benefits. One of the primary goals of the amendment was to encourage the healthcare industry to do “everything in their power to safeguard patient data.”
There are three categories of RSPs an organization can use that OCR will consider:
- the National Institute of Standards and Technology (NIST) Cybersecurity Framework; see also NIST Special Publication 800-53;
- Section 405(d) of the Cybersecurity Act of 2015; and
- other programs that address cybersecurity by statute or regulation.
Some Questions are Answered about Recognized Security Practices
The video presentation addresses several key issues about how recognized security practices can mitigate the effects of an OCR enforcement action.
Highlights are provided below.
- OCR will only consider the implementation of RSPs as a mitigating factor in HIPAA Security Rule investigations and audits.
- Entities must adequately demonstrate that the RSPs have been in place for the previous 12 months.
- Entities must show implementation throughout the enterprise, for example, on servers, workstations, mobile devices, APIs and any other device or software as applicable.
- Maintaining an accurate inventory of IT assets can help ensure the RSPs are enterprise-wide and OCR notes that a HIPAA Risk Analysis requires the same IT asset inventory.
- Entities are not expected to implement RSPs that are not applicable, e.g., if you have no “medical devices” the RSPs for medical devices are not necessary.
- The use of RSPs is not a “safe harbor” and does NOT provide immunity from liability for potential security rule violations. Follow HIPAA completely, do an annual Risk Analysis and maintain your Risk Management plan year round.
Use The HIPAA E-Tool® and Stay Ahead
The Security Rule Checklist in The HIPAA E-Tool® covers all the bases. As part of a full HIPAA Risk Analysis, the Security Rule Checklist, drawing on the Security Rule and NIST, helps you answer the right questions and guides you to the recognized security practices you need to reduce your exposure in a HIPAA investigation or an audit.