A strong cybersecurity program can help defend against cyber attacks and protect sensitive patient data. Thanks to a 2021 amendment of the HITECH Act, when a breach occurs, it can also reduce enforcement penalties. The amendment affords regulatory protection to covered entities and business associates who have implemented “Recognized Security Practices” (RSPs).
The HITECH amendment requires the U.S. Department of Health and Human Services, Office of Civil Rights (HHS-OCR) to consider RSPs an entity had in place for the past 12 months when determining fines, audit results, or other enforcement remedies related to violations of the HIPAA Security Rule. HIPAA does not require regulated entities to adopt RSPs, but those that do may receive added protection.
There has been some uncertainty within the industry about what constitutes RSPs and how to demonstrate their implementation. On October 31, 2022, HHS-OCR released a video to provide clarity and address common questions about RSPs.
RSPs are essentially industry-recognized best practices aimed at protecting sensitive health data. The HITECH amendment recognizes three categories of RSPs:
Covered entities and business associates can choose which category of RSPs to adopt based on what works best for their organization. RSPs include measures related to asset management, risk assessment, risk management, access control, workforce training, data security, and other issues. The endgame is to protect sensitive health information.
Adoption of RSPs is voluntary. The HIPAA Security Rule does not require covered entities and business associates to follow the NIST Cybersecurity Framework or the approaches under Section 405(d) of the Cybersecurity Act of 2015. However, many RSPs overlap with the security safeguards already required by the Security Rule, so compliance with one can go hand-in-hand with the other.
HHS-OCR clarified that implementing RSPs is not a “safe harbor” and does not provide automatic immunity from HIPAA liability. However, adopting RSPs can help keep sensitive health information safe while also reducing the potential negative regulatory consequences of a HIPAA security breach or HHS-OCR investigation.
To receive protection, a covered entity or business associate must show that RSPs were actively and consistently in use for at least 12 months. According to HHS-OCR, merely having written policies without actual implementation is insufficient. In addition, the RSPs must be implemented enterprise-wide and not just isolated to a narrow segment of the organization.
There are many ways to document RSP implementation. HHS-OCR provides the following (non-exhaustive) list of examples:
Covered entities and business associates that experience HIPAA breaches are subject to heightened governmental scrutiny and potential regulatory enforcement. Breaches impacting the health information of 500 or more individuals typically trigger an investigation by HHS-OCR. These investigations can involve a detailed review of an organization’s cybersecurity practices and can uncover HIPAA violations that may result in fines, penalties and other enforcement activities.
To reap the benefit of the 2021 HITECH amendment, entities need to be able to demonstrate implementation and ongoing use of RSPs for at least 12 months. RSPs should be implemented in a way that protects electronic PHI across the regulated entity’s enterprise.
Documentation is key. It is easier to make changes and compile documentation as part of an ongoing compliance review, rather than in the wake of a major cyber incident. Implementation of RSPs can also prevent a cyber incident from happening in the first place.
As 2022 draws to a close, now is a great time for covered entities and business associates to take stock of their cybersecurity program. In light of the 2021 HITECH amendment, regulated entities should consider implementing RSPs or strengthening documentation of RSPs that are already in place.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Woods Rogers Vandeventer Black | Attorney Advertising
Refine your interests »
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC