OCR Explains HITECH Recognized Security Practices and How to Demonstrate They are in Place

By | November 1, 2022

The Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) has released a video presentation on its YouTube channel that explains in detail how the 2021 HITECH Act amendment regarding “Recognized Security Practices” applies to HIPAA-regulated entities, and how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place for the 12 months prior to a security breach.

Background

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, part of the American Recovery and Reinvestment Act (ARRA), was introduced by the Obama administration to encourage the adoption of health information technology to improve quality, safety, and efficiency; engage patients in their care; increase coordination of care; improve the health status of the population; and ensure the privacy and security of healthcare data.

On January 5, 2022, H.R 7898 was signed into law which amended Section 13412 of the HITECH Act to require the HHS to take the Recognized Security Practices of HIPAA-regulated entities into account in certain HIPAA Security Rule enforcement and audit activities, when a HIPAA-regulated entity is able to demonstrate Recognized Security Practices have been in place continuously for the 12 months prior to a security incident.

The HITECH Act update does not create a safe harbor for organizations that have implemented Recognized Security Practices granting them immunity from liability for HIPAA Security Rule violations, and it will not prevent OCR from imposing financial penalties when HIPAA Security Rule violations are discovered. Organizations that can demonstrate they have implemented Recognized Security Practices can mitigate fines under section 1176 of the Social Security Act, mitigate the remedies that would otherwise be agreed in agreements to resolve violations of the HIPAA Security Rule, and reduce the length and extent of audits and investigations. The HITECH Act amendment acts as an incentive for HIPAA-regulated entities to implement Recognized Security Practices and do everything in their power to safeguard patient data. OCR has confirmed that implementing Recognized Security Practices is voluntary.

On April 6, 2022, OCR issued a Request for Information (RFI) seeking input from the public on the HITECH Act amendment, specifically on how HIPAA-regulated entities were implementing Recognized Security Practices, and how they anticipated demonstrating that they are in place and have been for 12 months. The RFI also included a request for comment on the long-awaited implementation of the HITECH Act requirement for OCR to share a proportion of the civil monetary penalties and settlements collected through its HIPAA enforcement activities with individuals who have been harmed due to HIPAA violations.

What Are Recognized Security Practices?

In the video, Nick Heesters, senior advisor for cybersecurity at OCR, explains how the HITECH Act was amended, what constitutes Recognized Security Practices, and how they can be implemented to reduce liability. Recognized Security Practices are standards, guidelines, best practices, methodologies, procedures, and processes developed under:

  • The National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • Section 405(d) of the Cybersecurity Act of 2015, or
  • Other programs that address cybersecurity that are explicitly recognized by statute or regulation

HIPAA-regulated entities are free to choose the Recognized Security Practices that are best suited to their organization.

OCR Security Rule Audits and HIPAA Security Rule Investigations of Potential Violations

Heesters confirmed that in the event of an audit or investigation into potential HIPAA Security Rule violations, OCR will send a data request to the regulated entity to inform them they can voluntarily provide evidence that Recognized Security Practices have been in place. This will increase awareness of the HITECH Act amendment and also allow the regulated entity to submit evidence as a mitigating factor. The request will also include guidance on how that evidence can be provided and the types of evidence that a HIPAA-regulated entity can consider submitting.

How to Demonstrate Recognized Security Practices Have Been in Place

Heesters explained how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place and the types of evidence that they can consider submitting. OCR will not limit the evidence that can be provided and the request is not a one-time opportunity to provide evidence. Evidence can be provided to OCR continuously.

The regulated entity must demonstrate that Recognized Security Practices have been fully implemented and have been and continue to be actively and consistently in use. Simply providing documentation that only establishes the initial adoption of Recognized Security Practices is insufficient and OCR will not consider documentation stating the organization plans to implement Recognized Security Practices in the future. Documentation must demonstrate the implementation of Recognized Security Practices throughout the enterprise.

In the response, HIPAA-regulated entities should state which Recognized Security Practices have been implemented. If a HIPAA-regulated entity has chosen “other programs,” OCR will need to be provided with statutory or regulatory citations showing they were developed, recognized, or promulgated by statute or regulation.

OCR suggests the following can be provided as evidence, although the list is not exhaustive:

  • Policies and procedures regarding the implementation and use of RSPs
  • RSP implementation project plans and meeting minutes
  • Diagrams and narrative detail of RSP implementation and use
  • Training materials regarding RSP implementation and use
  • Application screenshots and reports showing RSP implementation and use
  • Vendor contracts and statements of work regarding RSP implementation
  • OCR also requires dates that support the implementation and use of RSPs for the previous 12 months

Heesters confirmed that organizations that have implemented Recognized Security Practices, and are able to demonstrate that sufficiently, will not avoid financial penalties, but OCR will consider the Recognized Security Practices as a mitigating factor. These practices only mitigate against HIPAA Security Rule investigations and audits, not other investigations and audits, such as investigations into potential HIPAA Privacy Rule violations. Heesters also confirmed that the lack of Recognized Security Practices will not be considered an aggravating factor and will not result in increased penalties.

The post OCR Explains HITECH Recognized Security Practices and How to Demonstrate They are in Place appeared first on HIPAA Journal.