How has the 2021 HITECH Act amendment affected enforcement discretion for the HIPAA Security Rule regarding recognized security practices (RSP)? What enforcement discretion does OCR bear if a HIPAA-regulated entity implements RSPs 12 months before a HIPAA Security Rule investigation or audit?
In November 2022, the Office for Civil Rights (OCR) launched a video that answered those questions and others. Below, we’ve created a breakdown of key information that the OCR provided.
OCR Recognized Security Practices
The HITECH amendment orders the OCR to consider RSP that a regulated entity has had in place for 12 months before an OCR audit or investigation of a HIPAA Security Rule violation. The amendment also defines three RSP categories:
Section 2(c)(15) of the National Institute of Standards and Technology (NIST)
To qualify, entities that chose this RSP must implement cybersecurity practices and controls that adhere to the NIST Cybersecurity Framework’s five functions:
- Identify
- Protect
- Detect
- Respond
- Recover
Section 405(d) of the Cybersecurity Act of 2015
Regulated entities choosing this RSP must establish practices that align with the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). The HICP consists of two technical volumes:
- Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations
- Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations
Other Cybersecurity Programs
For this category, regulated entities may enact cybersecurity practices and controls from a program recognized by statutes or regulations. Entities must provide statutory or regulatory citations demonstrating:
- Where the program was developed
- If it is recognized
- Or it was promulgated
What OCR Requires for RSP Verification
Implementing RSP is voluntary, and a regulated entity won’t suffer direct repercussions if it chooses not to establish RSP. The HITECH amendment was put into place to help encourage better cybersecurity throughout healthcare. However, if an entity claims to use RSP, the OCR obliges the entity to prove that those practices are in place and used actively and consistently.
To acquire proof, the OCR will send a data request to the entity, inviting them to present evidence of RSP that can be considered a mitigating factor in Security Rule investigations. The request also offers suggestions about how to present the RSP evidence appropriately.
Proof Parameters for RSP Implementation
- Plans for future RSP implementation aren’t accepted
- Prove RSP has been used consistently for the previous 12 months before investigation or audit
- Verify that RSP is used throughout the entire enterprise—not just in select departments or devices
- Indicate which of the three RSP categories has been implemented
- Provide documentation that specific elements of selected RSP are in use
- Citation required if the third option, “other,” has been implemented
- Notify ORC of changes in RSP status or new or additional evidence
- Ensure dates are present on all documentation
Accepted RSP Evidence and Documentation Examples
- RSP assessments
- Asset (data and system) management documents
- Data flows, system mapping, configurations
- RSP vendor contracts, statements of work, and invoices
- Application screenshots
- Project plans, diagrams, and narrative details of implementation
- Policies and procedures
- Vulnerability scans
- Training materials
- Meeting notes
Check out these RSP resources for more information:
If you’d like to learn more about strengthening your organization’s cybersecurity with RSPs or talk with an industry expert who can simplify the complexities of the 2021 HITECH Act amendment and HIPAA Security Rules, visit CompliancePro Solutions today.
