An amendment to the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on Jan. 5, 2021, directing U.S. Health and Human Services (HHS) to consider "recognized security practices" in investigations related to Health Insurance Portability and Accountability Act (HIPAA) (HR 7898, Pub. L. 116-231). If a covered entity or business associate had "recognized security practices" in place for at least 12 months, HHS must take that into account when assessing fines or remedies, or determining the appropriate length of an audit. HHS's Office for Civil Rights (OCR) is now inquiring about such practices in its inquiries and audits.
A. What are "recognized security practices"?
The revisions to the HITECH Act define "recognized security practices" as including "standards, guidelines, best practices, methodologies, procedures, and processes developed under" authorities such as Section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, Section 405(d) of the Cybersecurity Act of 2015 and other cybersecurity programs and processes. These cybersecurity programs and processes are developed, recognized or promulgated under other statutory authorities as determined by the covered entity or business associate and consistent with the HIPAA Security Rule. Failure to implement such recognized security practices is not presumed to result in increased liability.
While the statutory language is a bit ambiguous, the two standards most likely covered are:
Other likely candidates for recognized security practices include:
Both ISO 27001 and NIST-SP 800-53 are robust and established security standards referenced heavily in NIST CSF.
B. How do you demonstrate adoption of "recognized security practices"?
In recent data breach investigations relating to protected health information (PHI), OCR has asked the target covered entity or business associate whether it has implemented any recognized security practices. Along with satisfying existing record requirements for HIPAA compliance, HIPAA security officials may want to specifically prioritize efforts to adopt recognized security practices and document the following:
In connection with incident response planning, covered entities and business associates should start examining whether and to what extent they can sufficiently demonstrate recognized security practices through existing documentation.
If an entity has not built its security practices to conform with any of the recognized legal standards referenced above, now would be a good time to start. Implementing a robust security compliance program based on these standards is increasingly important 1) to reduce the likelihood and severity of a material data breach and 2) in the event a breach does occur, to serve in both regulatory investigations and any lawsuits as affirmative evidence of reasonable, responsible and defensible security practices.