HIPAA Tip: Health Industry Cybersecurity Practices (HICP)

The Health Industry Cybersecurity Practices (HICP) is a publication providing guidance to organizations, companies and manufacturers in the healthcare industry, helping them to practically implement cybersecurity best practices. Developed with every stakeholder in mind, organizations from small to large can benefit from the resources and best practices provided to prepare and fight against cybersecurity threats that can impact patient safety.

HICP worked in collaboration with HHS 405(d) and created a voluntary set of federally recognized standards. Adopting and documenting these practices can work in an organization’s favor if the Office for Civil Rights (OCR) conducts an audit. In 2021 a bill named HR 7898 was signed into law as an amendment to the HITECH Act and is now known as Public Law 116-321. The law requires HHS to recognize the adoption of cybersecurity best practices, like 405(d) HICP. If an organization can demonstrate that they have had 405(d) HICP in place for no less than 12 months prior to the point of an investigation, it may result in the mitigation of fines and early, favorable regulatory treatment.

HICP’s 10 Mitigating Practices:

  • Email Protection Systems
  • Endpoint Protection Systems
  • Identity and Access Management
  • Data Protection and Loss Prevention
  • IT Asset Management
  • Network Management
  • Vulnerability Management
  • Security Operations Center & Incident Response
  • Network Connected Medical Device Security
  • Cybersecurity Oversight and Governance

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.