How 'Recognized Security Practices' Fit with HIPAA ActionsHHS OCR Explains How it is Considering Implementation of Certain Best Practices
The Department of Health and Human Services released new video guidance explaining how it will consider the "recognized security practices" when enforcing HIPAA.
The new guidance addresses a 2021 addition to the HITECH Act of 2009 requiring HHS' Office for Civil Rights to consider regulated entities’ implementation of "recognized security practices" during the previous 12 months when the agency makes certain HIPAA enforcement determinations.
In the video, Nicholas Heesters, a civil rights office senior advisor for cybersecurity, says there are three categories of recognized security practices a regulated entity can implement. Those include the National Institute of Standards and Technology's Cybersecurity Framework; practices outlined in section 405(d) of the Cybersecurity Act of 2015, and “other”.
HHS OCR will request regulatory or statutory citations from entities choosing “other” showing they were developed, recognized, or promulgated by statute or regulation, Heesters says.
"It is important to note, that implementing RSPs is an entirely voluntary process," Heesters says on the video. "The failure to implement recognized security practices will not be used as an aggravating factor in OCR investigations, and there is no liability for a regulated entity that has not implemented recognized security practices," he says.
"The purpose of the HITECH amendment is to incentivize the regulated industry to improve their cybersecurity by implementing recognized security practices. OCR will only consider the implementation of recognized security practices as a mitigating factor in Security Rule investigations and audits," he says.
Driving Better Security?
Heesters explains that in security audits or breach investigations involving potential violations of the HIPAA Security Rule the agency will first "invite" a regulated entity to voluntarily present evidence of implemented recognized security practices by sending a data request to the organization.
Those entities that don't already know about the possible mitigating factors of recognized security practices will afterward, Heesters says.
An entity may provide any evidence it chooses to adequately demonstrate to OCR that it has implemented RSPs, he adds.
Some experts say this congressionally mandated move might help incentivize some covered entities and business associates to embrace stronger security best practices but it will unlikely drive vast immediate improvements in the overall cybersecurity of the healthcare sector.
"While this is certainly a positive development, and reflects what has typically been unofficially true [already], I suspect that it will not be a significant driver in changing an entity’s approach to security," says regulatory attorney Brad Rostolsky of the law firm Reed Smith.
"If there is already a solid compliance mindset coupled with the necessary budget, the ability to point to RSPs will serve as a good additional safety net," he says.
If this move by HHS OCR motivates some entities to take their security obligations more seriously "that is a win for everyone," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"At the same time, I have never really understood how this new statute will actually matter," he adds. "OCR has always considered the security practices of an entity under investigation."
The main reason to implement better security practices is to actually have better security, Nahra says.
"Aside from legal requirements and appropriately protecting patient data, it is in the self-interest of every covered entity and business associate, small or large, to implement good security programs and have effective means of responding to security incidents," he says.
"I don’t know why this requirement will change OCR’s actual approach on enforcement - it may lead to a more specific notation in documents about this consideration but I doubt it will have a substantive effect very often."