The Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) has published a YouTube video that tells at length how the HITECH Act amendment in 2021 concerning “Recognized Security Practices” is applicable to HIPAA-covered entities. The video also explains how HIPAA-covered entities can show to OCR that Recognized Security Practices were set up for one year before a security breach.
The Obama administration introduced the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which is a component of the American Recovery and Reinvestment Act (ARRA), to entice the use of health data technology to enhance quality, security, and efficiency; keep patients under their care; improve care coordination; enhance the health status of the people; and be sure to protect the confidentiality and security of healthcare information.
H.R 7898 became law on January 5, 2022. That changed Section 13412 of the HITECH Act mandating the HHS to take into consideration the Recognized Security Practices of HIPAA-covered entities in selected activities associated with HIPAA Security Rule enforcement and audit, when a HIPAA-covered entity could show Recognized Security Practices were set up continuously for the one year before a security incident.
The HITECH Act update doesn’t produce a safe sanctuary for organizations that have executed Recognized Security Practices giving them immunity from responsibility for violations of HIPAA Security Rules. It also doesn’t stop OCR from issuing financial fines when it finds violations of the HIPAA Security Rule. Companies that can prove they have put in place Recognized Security Practices can minimize penalties according to section 1176 of the Social Security Act, minimize the remedies that would be required in agreements to settle HIPAA Security Rule violations, and shorten the length and scope of audits and inspections. The HITECH Act amendment works as an incentive so that HIPAA-covered entities would carry out Recognized Security Practices and do what is needed to protect patient information. OCR has stated that enforcing Recognized Security Practices is not compulsory.
On April 6, 2022, OCR released a Request for Information (RFI) to get feedback from the community about the HITECH Act amendment, particularly about how HIPAA-covered entities were applying Recognized Security Practices, and how they expected to find it demonstrated for 12 months. The RFI additionally requested comments on the enforcement of the HITECH Act requirement and OCR had to discuss some of the civil monetary penalties and settlements completed as a result of its HIPAA enforcement activities with entities that have suffered harm because of HIPAA violations.
Recognized Security Practices Defined
Senior advisor for cybersecurity at OCR, Nick Heesters, talks about the amendment of the HITECH Act, the Recognized Security Practices, and the ways to implement it to minimize violations. Recognized Security Practices are standards, instructions, best practices, strategies, procedures, and processes made in consideration of:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework
- Section 405(d) of the Cybersecurity Act of 2015, or
- Other programs that deal with cybersecurity that are clearly recognized by law or regulation
- HIPAA-covered entities can freely select the Recognized Security Practices that are most suitable for their company
OCR Security Rule Audits and HIPAA Security Rule Investigations Associated with Possible Violations
Heesters stated that in case of a potential HIPAA Security Rule violations audit or investigation, OCR will give a data request to the covered entity to notify them they can volunteer to offer proof that they have Recognized Security Practices in place. This will boost understanding of the HITECH Act amendment and additionally enable the covered entity to give proof as a mitigating component. The request will additionally consist of guidance on how to provide that proof and the kinds of proof that a HIPAA-covered entity can think about sending.
How to Prove There Were Recognized Security Practices in Place
Heesters discussed how HIPAA-covered entities can show OCR that they have Recognized Security Practices in place and the kinds of proof that they can think about sending. OCR won’t limit the proof that can be given and the request isn’t a one-time chance to offer proof. Evidence may be given to OCR continually.
The covered entity should show that Recognized Security Practices were completely carried out and were continually active and regularly used. Just offering documentation that merely confirms the initial use of Recognized Security Practices is not enough and OCR won’t accept documentation that states the company plans to enforce Recognized Security Practices later on. Documentation should show the execution of Recognized Security Practices across the enterprise.
In response to a request, HIPAA-covered entities ought to point out which Recognized Security Practices were put in place. In case a HIPAA-covered entity has selected “other programs,” OCR must be furnished with statutory or regulatory details exhibiting they were created, recognized, or enacted by law or regulation.
OCR lists what can be considered as evidence below, though the list isn’t complete:
- Policies and procedures concerning the enforcement and usage of RSPs
- RSP execution project plans and minutes of meeting
- Diagrams and narrative information of RSP execution and usage
- Training materials related to RSP execution and usage
- Application screenshots and reports that show RSP execution and usage
- Vendor contracts and documents of work related to RSP execution
- OCR additionally calls for dates that show the execution and usage of RSPs for the past 12 months
Heesters affirmed that companies that have applied Recognized Security Practices, and can show that adequately, won’t steer clear of financial penalties, however, OCR will take into account the Recognized Security Practices as a minimizing factor. These Recognized Security practices simply reduce HIPAA Security Rule investigations and audits, but they do not include other investigations and audits, for example, investigations into possible violations of HIPAA Privacy Rules. Heesters additionally stated that the insufficient Recognized Security Practices won’t be regarded as an aggravating component and won’t bring about higher penalties.