HIPAA TIP: Recognized Security Practices

An amendment to the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on Jan. 5, 2021, directing U.S. Health and Human Services (HHS) to consider “recognized security practices” in investigations related to HIPAA (Health Insurance Portability and Accountability Act) (HR 7898Pub. L. 116-231). 

If a Covered Entity or Business Associate has had “recognized security practices” in place for at least 12 months, HHS must take that into account when assessing fines or remedies, or determining the appropriate length of an audit. HHS’s Office for Civil Rights (OCR) is now inquiring about such practices in its inquiries and audits.

What does this mean for your organization?  The revisions to the HITECH Act define “recognized security practices” as including “standards, guidelines, best practices, methodologies, procedures, and processes developed under” authorities such as Section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, Section 405(d) of the Cybersecurity Act of 2015 and other cybersecurity programs and processes. These cybersecurity programs and processes are developed, recognized, or promulgated under other statutory authorities as determined by the Covered Entity or Business Associate and consistent with the HIPAA Security Rule.

The two standards most likely covered are: 

• The NIST Cybersecurity Framework (CSF)

• The Health Industry Cybersecurity Practices (HICP)