A strong cybersecurity program can help defend against cyber attacks and protect sensitive patient data. Thanks to a 2021 amendment of the HITECH Act, when a breach occurs, it can also reduce enforcement penalties. The amendment affords regulatory protection to covered entities and business associates who have implemented “Recognized Security Practices” (RSPs).
The HITECH amendment requires the U.S. Department of Health and Human Services, Office of Civil Rights (HHS-OCR) to consider RSPs an entity had in place for the past 12 months when determining fines, audit results, or other enforcement remedies related to violations of the HIPAA Security Rule. HIPAA does not require regulated entities to adopt RSPs, but those that do may receive added protection.
There has been some uncertainty within the industry about what constitutes RSPs and how to demonstrate their implementation. On October 31, 2022, HHS-OCR released a video to provide clarity and address common questions about RSPs.
What are recognized security practices?
RSPs are essentially industry-recognized best practices aimed at protecting sensitive health data. The HITECH amendment recognizes three categories of RSPs:
- The standards, guidelines, best practices, methodologies, procedures, and processes developed under Section (c)(15) of the National Institute of Standards and Technology Act (NIST). Covered entities and business associates that choose this category should adopt cybersecurity practices that align with NIST’s Cybersecurity Framework.
- The approaches under Section 405(d) of the Cybersecurity Act of 2015. Covered Entities and business associates can implement the cybersecurity practices described in the Health Industry Practices: Managing Threats and Protecting Patients technical volumes, which are tailored to small, medium, and large organizations.
- Other cybersecurity programs recognized by statute or regulations.
Covered entities and business associates can choose which category of RSPs to adopt based on what works best for their organization. RSPs include measures related to asset management, risk assessment, risk management, access control, workforce training, data security, and other issues. The endgame is to protect sensitive health information.
Does HIPAA require healthcare organizations to adopt RSPs?
Adoption of RSPs is voluntary. The HIPAA Security Rule does not require covered entities and business associates to follow the NIST Cybersecurity Framework or the approaches under Section 405(d) of the Cybersecurity Act of 2015. However, many RSPs overlap with the security safeguards already required by the Security Rule, so compliance with one can go hand-in-hand with the other.
Is the 2021 Hitech Act Amendment a new HIPAA “safe harbor”?
HHS-OCR clarified that implementing RSPs is not a “safe harbor” and does not provide automatic immunity from HIPAA liability. However, adopting RSPs can help keep sensitive health information safe while also reducing the potential negative regulatory consequences of a HIPAA security breach or HHS-OCR investigation.
What’s the best way to document an organization’s implementation of RSPs?
To receive protection, a covered entity or business associate must show that RSPs were actively and consistently in use for at least 12 months. According to HHS-OCR, merely having written policies without actual implementation is insufficient. In addition, the RSPs must be implemented enterprise-wide and not just isolated to a narrow segment of the organization.
There are many ways to document RSP implementation. HHS-OCR provides the following (non-exhaustive) list of examples:
- Policies and procedures on implementation and use of RSPs
- RSP implementation project plans and meeting minutes
- Diagrams and narrative detail of RSP implementation and use
- Training materials regarding RSP implementation and use
- Application screenshots and reports showing RSP implementation and use
- Vendor contracts and SOWs showing RSP implementation.
Covered entities and business associates that experience HIPAA breaches are subject to heightened governmental scrutiny and potential regulatory enforcement. Breaches impacting the health information of 500 or more individuals typically trigger an investigation by HHS-OCR. These investigations can involve a detailed review of an organization’s cybersecurity practices and can uncover HIPAA violations that may result in fines, penalties, and other enforcement activities.
To reap the benefit of the 2021 HITECH amendment, entities need to be able to demonstrate implementation and ongoing use of RSPs for at least 12 months. RSPs should be implemented in a way that protects electronic PHI across the regulated entity’s enterprise.
Documentation is key. It is easier to make changes and compile documentation as part of an ongoing compliance review, rather than in the wake of a major cyber incident. Implementation of RSPs can also prevent a cyber incident from happening in the first place.
As 2022 draws to a close, now is a great time for covered entities and business associates to take stock of their cybersecurity program. In light of the 2021 HITECH amendment, regulated entities should consider implementing RSPs or strengthening documentation of RSPs that are already in place.