OCR Seeks Input on “Recognized Security Practices” as Mitigating Factor for HIPAA and HITECH Fines

• In 2021, HITECH was amended to add “recognized cybersecurity practices” as a mitigating factor when determining fines, audits and remedies against covered entities and business associates for violations of HIPAA.
• HHS now seeks public comment on what should be considered a recognized cybersecurity practice.
• Covered entities and business associates should update their HIPAA compliance plans to incorporate the recognized cybersecurity practices, implement the identified security practices and ensure they have been actively and consistently used over the prior 12-month period of time.

On Jan. 5, 2021, Public Law 116-321 amended the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Department of Health and Human Services (HHS) to consider covered entities’ (most healthcare providers, health plans and clearinghouses) or business associates’ “recognized cybersecurity practices” when determining fines, audits and remedies for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as discussed in a previous McGuireWoods post.

HHS now seeks public comment on how covered entities and business associates voluntarily implement security practices, to assist its Office for Civil Rights (OCR) in determining what the “recognized cybersecurity practices” are and proper mitigating factors when auditing and fining covered entities and business associates for violations of HIPAA. See Request for Information (RIN 0945-AA04).

According to HHS, cybersecurity threats are a significant concern driving the need to safeguard electronic protected health information. One of the primary goals of the amendment was to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”  To achieve this goal, Congress sought to “[incentivize] healthcare entities to adopt strong cybersecurity practices by encouraging the Secretary of HHS to consider entities' adoption of recognized cybersecurity practices when conducting audits or administering HIPAA fines.” 

The amendment clarifies that a covered entity or business associate must “adequately demonstrate” recognized security practices. OCR has explained that this means to go beyond simply establishing and documenting the adoption of security practices. Rather, one must show that the security practices have been actively and consistently in use over the prior 12-month period of time.

Demonstration of compliance of the recognized security practices acts as a quasi-safe harbor for covered entities, allowing such entities to avoid or mitigate hefty fines or potentially receive early or favorable termination of an audit.

OCR seeks public comment on the following:

1. What recognized security practices have regulated entities implemented? If not currently implemented, what recognized security practices do regulated entities plan to implement?
2. On what standards, guidelines, best practices, methodologies, procedures and processes do regulated entities rely when establishing and implementing recognized security practices?
3. What steps do covered entities take to ensure that recognized security practices are “in place” and “in use”?
4. What constitutes implementation throughout the enterprise (e.g., servers, workstations, mobile devices, medical devices, apps, application programming interfaces)?
5. What steps do covered entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?

Comments may be submitted electronically through the Federal eRulemaking Portal or by mail, and must be submitted by June 6, 2022.