OCR Releases New Recognized Security Practices Video

Med-Net Academy Healthcare Compliance Training

The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) produced a new video on recognized security practices for organizations covered under the Health Insurance Portability and Accountability Act (HIPAA) Rules. Recognized security practices can help organizations improve their ability to safeguard patient information from cyberattacks and better safeguard healthcare services. Section 13412 of the Health Information Technology for Economic and Clinical Health (HITECH) Act requires OCR to take into consideration in certain Security Rule enforcement and audit activities whether a regulated entity has adequately demonstrated that recognized security practices were “in place” for the prior 12 months.

The video presentation is intended to educate the healthcare sector on the categories of recognized security practices and how entities regulated under the HIPAA Rules may demonstrate implementation. Topics include:

· The 2021 HITECH Amendment regarding recognized security practices

· How regulated entities can demonstrate that recognized security practices are in place

· Details the evidence of recognized security practices that may be requested by OCR in the event of a HIPAA Security Rule investigation or audit

· Where to find more information about recognized security practices

· Answers to a selection of questions submitted to OCR in June 2022 on recognized security practices You can watch the video presentation on OCR’s YouTube channel here.

Issue:

Cybersecurity threats are a significant concern driving the need to safeguard electronic protected health information (ePHI) as required by the HIPAA Security Rule. Covered entities and business associates should do everything in their power to safeguard patient data. According to OCR, it is insufficient for a regulated entity to merely establish and document the initial adoption of recognized security practices. For OCR to consider such practices when making determinations relating to penalties, audits, or other remedies, the entity must also demonstrate that the practices are fully implemented, meaning that the practices are actively and consistently in use by the covered entity or business associate over the relevant period of time. The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the Security Rule.

Discussion Points:

  • Review policies and procedures related to HIPAA, PHI, and the Security Rule. Ensure that they address how to best safeguard patient data from cyberattacks. Update as new information becomes available.
  • Train appropriate staff on HIPAA, PHI, and the Security Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
  • Periodically audit to ensure that recognized security practices are fully implemented, and that staff are adhering to data integrity security measures. Also audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and the Security Rule are being followed.