OCR Releases Video On Recognized Security Practices Under HITECH

The HHS Office for Civil Rights (OCR) released an educational video presentation on recognized security practices (RSPs) under HITECH. Nick Heesters, senior advisor for cybersecurity at OCR, presented the video and addressed key industry questions about implementation and liability.

In January 2021, Congress enacted an amendment to the HITECH Act “to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.”

The amendment directed covered entities to implement security controls based on either the National Institute of Standards and Technology (NIST) framework, section 405(d) of the Cybersecurity Act of 2015, or other “programs that address cybersecurity recognized by statute or regulation.”

Under the statute, OCR is required to take a covered entity’s recognized security practice implementation from the past 12 months into account when conducting Security Rule audit and enforcement activities.

The amendment gives covered entities the flexibility to choose the recognized security practices that are right for their organizations within the guidelines. That flexibility gives covered entities control over their implementation processes, but also raised some important questions.

Heester answered several key questions throughout the video, such as, “What constitutes implementation throughout the enterprise, e.g. servers, workstations, APIs?”

In response, Heester explained that regulated entities “seeking to have OCR consider evidence of implementation of RSPs in accordance with the HITECH amendment” should demonstrate that they have implemented RSPs throughout the enterprise, from workstations to mobile devices and APIs.

“Maintaining an accurate inventory of IT assets can assist a regulated entity in ensuring its implementation of recognized security practices is truly enterprise-wide,” Heester explained.

“Indeed, many, if not most, recognized security practices include IT asset inventories as elements.”

In addition to addressing implementation questions, OCR tackled a question about whether the HITECH amendment provides a “safe harbor” in the event of a HIPAA violation, “along the lines that ‘secured PHI’ provides ‘safe harbor’ in the event of a breach.”

“The HITECH amendment provides for the mitigation of civil money penalties and the remedies offered to resolve potential Security Rule violations,” Heester explained.

“This is not the same thing as a ‘safe harbor’ or immunity from liability for potential Security Rule violations. Regulated entities should not interpret the HITECH amendment to mean that if they implement recognized security practices, they cannot be held responsible for potential Security Rule violations.”

OCR clarified that it would consider RSPs that have been implemented for the past 12 months as a “mitigating factor in investigations involving the Security Rule,” but the RSPs will not exempt covered entities from paying fines or implementing a corrective action plan.

The video also addressed questions surrounding the evidence that OCR will use to determine RSPs. OCR will not limit the types of evidence that a regulated entity can submit to OCR for consideration, and may include vulnerability scans, third-party risk assessments, and other policies and procedures that demonstrate RSP implementation.