HHS Office for Civil Rights Releases Webinar on Recognized Security Practices: Provides Guidance on Mitigating Potential Violations of HIPAA

Pursuant to legislation passed in 2021, covered entities and business associates subject to HIPAA and facing potential regulatory enforcement may receive some credit lessening to reduce enforcement penalties if they had implemented Recognized Security Practices (RSPs) within the prior 12 months.  However, what may constitute RSPs and how a covered entity or business associate can demonstrate implementation of RSPs to receive such credit had not been clear.  Now, the Department of Health and Human Services is seeking to provide clarity.

What To Do About “Recognized Security Practices” Now

HIPAA regulated entities may wish to review and compare their security practices to RSPs, and where necessary, implement RSPs to strengthen their cybersecurity and regulatory posture. Specifically, as HIPAA regulated entities assess their exposure to HIPAA cybersecurity risks, they should consider assembling evidence of RSP implementation, such as policies and procedures, implementation project plans, meeting minutes, diagrams and narrative detail of RSP implementation and use, training materials and vendor contracts.  Moreover, HIPAA regulated entities should monitor future OCR developments with respect to RSPs, as OCR may determine that future guidance or rulemaking is necessary.

“Recognized Security Practices” Webinar

On October 31, 2022, the Health and Human Service’s Office for Civil Rights (OCR) released a webinar on Recognized Security Practices (RSP).  This follows a Request for Information related to RSPs published by OCR on April 6, 2022 and which closed on June 6, 2022.  OCR indicated it is reviewing the comments to consider whether future guidance or rulemaking is necessary.  The webinar on RSPs provides guidance and clarification on the following topics: the HITECH Amendment, types of RSPs, and how HIPAA regulated entities can adequately demonstrate that RSPs are in place.

In January 2021, Congress enacted an amendment to the HITECH Act which requires “the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.”  Effective January 5, 2021, the HITECH amendments require OCR take into consideration the RSPs that a regulated entity had in place for the previous 12 months when OCR makes enforcement determinations to resolve potential violations of the HIPAA Security Rule.

OCR is clear in the webinar that a failure to implement RSPs will not be an aggravating factor in OCR investigations, and there is no liability for a regulated entity that has not implemented RSPs (separate from any Security Rule violation).  However, OCR indicated that evidence of the use of RSPs in the previous 12 months is a mitigating factor with respect to potential violations of the Security Rule, and also may result in the early, favorable termination of an audit.

In the webinar, OCR stated that it began implementing its consideration of RSPs last year.  Specifically, OCR has invited regulated entities to respond to data requests concerning RSPs through OCR audits of compliance with the HIPAA Security Rule or investigations involving potential violations of the Security Rule.  Additionally, OCR indicated that the data request for RSPs should be considered a standing data request, and as a regulated entity adds or makes changes to RSP practices, it can continue to provide that information to OCR.

Categories Of “Recognized Security Practices” And Evidence Of Implementation

The webinar discusses the three categories of RSPs:

  • Standards, guidelines, best practices, methodologies, procedures, and processes developed under Section 2(c)(15) of the National Institute of Standards and Technology or NIST Act.  In the webinar, OCR references NIST’s Cybersecurity Framework which provides documentation for implementing NIST’s Cybersecurity Framework.
  • Approaches promulgated under section 405(d) of the Cybersecurity Act of 2015.  OCR specifically references the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), and provides links concerning its implementation here.   OCR also referenced technical volumes concerning HICP, which are divided into a technical volume for medium and large health care organizations, as well as for small health care organizations.
  • Other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.  Here, OCR specifies that entities selecting this RSP should explicitly reference regulatory or statutory citations demonstrating their RSPs were developed, recognized, or promulgated from a statute.  OCR’s webinar does not provide any examples of such statutory authorities.

OCR stated that HIPAA-regulated entities should not reference plans to implement RSPs at a future date.  The RSPs need to have been in place for the last 12 months to receive mitigating credit.  Additionally, OCR stressed that RSPs need to have been implemented in practice.  Specifically, OCR notes that RSPs should be implemented consistently throughout the organization, although OCR acknowledges that certain RSPs may be tailored to combat specific threats or to target specific technologies.  OCR provided examples of ways regulated entities may demonstrate RSPs are in place, including policies and procedures regarding the implementation and use of RSPs, implementation of project plans and meeting minutes, diagrams and narrative detail of RSP implementation and use, training materials and vendor contracts.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.