Last year, Congress enacted an amendment to the HITECH Act in January 2021 (“HITECH Amendment”) to require that the Department of Health and Human Services (“HHS”) consider whether a covered entity or business associate has “adequately demonstrated” it had, for not less than the previous 12 months, “recognized security practices” in place when making certain determinations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule (e.g. mitigation of fines, early termination of an audit, or other remedies). The HITECH Amendment provides that “recognized security practices” (“RSPs”) include: (i) standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (“NIST”) Act; (ii) the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015; and (iii) other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.
On Monday, October 31, 2022, HHS’s Office for Civil Rights (“OCR”) released a video on RSPs for purposes of the HITECH Amendment. The guidance briefly summarizes OCR’s current views on what it means to adequately demonstrate RSPs and answers some questions submitted during the comment period that ended June 2022. The key points from the video include:
An entity does not have to produce all of the above. The above is an illustrative list of what is expected from OCR.
Many covered entities and business associates are already utilizing the NIST Cybersecurity Framework or Section 405(d) of the Cybersecurity Act of 2015 to address the requirements of the HIPAA Security Rule, but they may not have documentation readily available to prove up the enterprise-wide implementation of such RSPs. We recommend conducting (or updating) an IT asset inventory and, to the extent feasible for an entity, documenting the system-wide implementation of RSPs in order to prepare the entity to respond to OCR in the event of a security incident that triggers an audit or investigation.
Sign up for our newsletter and get the latest to your inbox.