An amendment to the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on Jan. 5, 2021, directing U.S. Health and Human Services (HHS) to consider "recognized security practices" in investigations related to Health Insurance Portability and Accountability Act (HIPAA) (HR 7898, Pub. L. 116-231). If a covered entity or business associate had "recognized security practices" in place for at least 12 months, HHS must take that into account when assessing fines or remedies, or determining the appropriate length of an audit. HHS's Office for Civil Rights (OCR) is now inquiring about such practices in its inquiries and audits.
A. What are "recognized security practices"?
The revisions to the HITECH Act define "recognized security practices" as including "standards, guidelines, best practices, methodologies, procedures, and processes developed under" authorities such as Section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, Section 405(d) of the Cybersecurity Act of 2015 and other cybersecurity programs and processes. These cybersecurity programs and processes are developed, recognized or promulgated under other statutory authorities as determined by the covered entity or business associate and consistent with the HIPAA Security Rule. Failure to implement such recognized security practices is not presumed to result in increased liability.
While the statutory language is a bit ambiguous, the two standards most likely covered are:
- the popular NIST Cybersecurity Framework (CSF), which was developed under the statutory authority of Section 2(c)(15) of the NIST Act
- the Health Industry Cybersecurity Practices (HICP), which were released in 2018 as voluntary guidance developed by HHS and industry stakeholders in view of Section 405(d) of the Cybersecurity Act of 2015
Other likely candidates for recognized security practices include:
- NIST SP 800-66, Rev. 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which NIST is now updating
- the HITRUST Cybersecurity Framework, which was developed as a healthcare industry standard and modeled on CSF
- the ISO/IEC 27001 Information Security Management standard
- NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
Both ISO 27001 and NIST-SP 800-53 are robust and established security standards referenced heavily in NIST CSF.
B. How do you demonstrate adoption of "recognized security practices"?
In recent data breach investigations relating to protected health information (PHI), OCR has asked the target covered entity or business associate whether it has implemented any recognized security practices. Along with satisfying existing record requirements for HIPAA compliance, HIPAA security officials may want to specifically prioritize efforts to adopt recognized security practices and document the following:
- policies and procedures demonstrating implementation of a standard or framework referenced as one of the recognized security practices
- evidence showing when the security practices were implemented, such as dates of policy development and project plans
- documents demonstrating the scope of implementation within the overall organization and how the recognized security practices were implemented
- names of individuals charged with making sure employees implement and utilize the recognized security practices
- copies of training content provided to workforce members, along with documentation of the dates of training
- documents showing the recognized security practices meet the applicable definition as provided under HR 7898
In connection with incident response planning, covered entities and business associates should start examining whether and to what extent they can sufficiently demonstrate recognized security practices through existing documentation.
If an entity has not built its security practices to conform with any of the recognized legal standards referenced above, now would be a good time to start. Implementing a robust security compliance program based on these standards is increasingly important 1) to reduce the likelihood and severity of a material data breach and 2) in the event a breach does occur, to serve in both regulatory investigations and any lawsuits as affirmative evidence of reasonable, responsible and defensible security practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.