HIPAA Security rules, HIPAA Violations

Recent HIPAA Security Rule Update: Recognized Security Practices


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

As many readers will recall, the Health Insurance Portability and Accountability Act of 1996 was relatively “toothless” until the  Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 was enacted to impose and collect financial penalties for violations. Both of these laws have continued to evolve, which equates to adding new definitions requirements, and sanctions. The current change has to do with the definition of how to decide whether or not a covered entity or business associate had “recognized security practices” in place for at least 12 months prior to being disciplined.

As described in the National Law Review, the latest of these revisions was the HITECH amendment in January 2021 to direct the U.S. HHS to redefine “recognized security rules” during investigations of Health Insurance Portability and Accountability Act (HIPAA) violations (HR 7898, Pub. L. 116-231). In essence, the HITECH ruling regarding recognized security practices creates a “safe harbor” for covered entities. The Department of Health and Human Services (HHS) ‘s Office for Civil Rights (OCR) must consider 1) an organization’s attempt to follow appropriate actions when assessing fines or remedies or 2) determining the appropriate length of an audit. The OCR is now inquiring about such practices in its inquiries and audits. 

What Are Recognized Security Practices?

According to the recent revisions to the HITECH Act, “recognized security practices” include standards, guidelines, best practices, methodologies, procedures, and processes developed by recognized authorities, such as Section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, Section 405(d) of the Cybersecurity Act of 2015.

How Do You Demonstrate the Adoption of Your “Recognized Security Practices”?

Office for Civil Rights (OCR) has recently asked covered entities and business associates that were targets in data breach investigations regarding protected health information (PHI) if they have implemented any recognized security practices. HIPAA security officials should prioritize the following security practices in addition to complying with existing HIPAA security rule requirements, including their security framework. Such a framework involves a set of policies and procedures that guide the development, implementation, and management of the organization’s security.

Needed Documentation to Qualify

Covered entities or their business associates wishing to take advantage of the safe harbor created by HR 7898 must be able to prove that they had these documentations in place at the time of any potential infraction:

  • Documentation of training content provided to workforce members, as well as dates of training
  • Dates of HIPAA policy development and plans for project implementation showing when security measures took effect
  • Names of the individuals responsible for ensuring that employees follow recognized security practices
  • Detailed documentation of how the organization has implemented standard security measures to avoid HIPAA violation
  • Security practices documented that meet the relevant definition as defined in HR 7898
  • Practices and procedures that demonstrate adherence to a standard or framework that qualify as good security practices

The first step towards incident response planning for covered entities and business associates should be to evaluate whether and to what extent current documentation sufficiently demonstrates recognized security practices. Currently, if an organization doesn’t conform its security practices to any of the recognized legal standards cited above, it would be a good idea to make the change. Having an effective HIPAA security compliance program based upon these standards is increasingly important for two reasons:

  • Preventing material data breaches and minimizing their severity
  • Should a breach ever occur, it can serve as affirmative evidence for regulatory investigations and any lawsuits arising from the intrusion.

The information above will help you prepare for a HIPAA compliance audit. However, your efforts do not stop there. Risk-reducing measures are essential to protect your organization, your patients, and their data from violating HIPAA security rules.

Is It Time to Earn Your Telehealth Certificate?

Telehealth Compliance Requirements Are Returning

Enforcement is headed our way. Improve staff competency and compliance with evidence-based telehealth BCTP® certificate training. Three levels available. Manage risk and distinguish your services now.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
Stacey Soeldner
Stacey Soeldner
1 year ago

What is your suggestion on creating cyber policies?

Would love your thoughts, please comment.x