OCR Video

OCR Video Presentation on the HITECH Act’s Recognized Security Practices


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

OCR Video on Recognized Security Practices of Covered Entities Under Amended HITECH 

An alarming increase in healthcare cyber hacking is getting official US government attention. In response, the HHS Office for Civil Rights (OCR) intends to improve organizations’ security procedures, including creating and releasing a no-cost Youtube video on the USGovHHSOCR channel to educate covered entities about mandatory Recognized Secuirty Practices (RSPS). Recent government announcements suggest that the US is experiencing cyber warfare from overseas, including targeted healthcare attacks from Russia.

Given the required changes to the HITECH Act amendment signed into law on January 5, 2021, the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations and for other purposes.” Many clinicians, however, find the rules confusing and difficult to implement. To solve that problem, Nick Heesters, the senior advisor for Cybersecurity for OCR, moderates an OCR video training to raise awareness among covered organizations and address frequently asked questions about implementing HIPAA Rules.

This OCR video was released in line with HITECH Act Section 13412. The Act mandates audit checks to determine whether regulated firms have implemented acceptable, recognized security practices during the previous 12 months. The goal is to safeguard patient data against cyberattacks and improve the reliability of healthcare services.

Topic Covered Under Recognized Security Practices in OCR Video

This video presentation discusses the specifics of amended HITECH about recommended security practices (RSPs), forums where information about RSPs can be found, evidence of RSPs sought by OCR in the event of an audit or HIPAA Security Rule investigation, as well as the methodologies by which regulated entities can demonstrate to authorities that they have RSPs in place.

Under the modified HITECH Act, RSPs encompass all procedures and practices under the National Institute of Standards and Technology (NIST) Act, section 405(d) of the Cybersecurity Act of 2015, and programs implemented through regulations under other statutory authorities.

OCR Video Answers Questions on HIPAA Recognized Security Practices 

Recognized entities have discretion over executing security protocols and can select security practices they deem compliant with the regulations. Regarding that implementation, the video is designed to answer questions about implementation throughout the enterprise, e.g., servers, workstations, APIs? The OCR video illustrates many aspects of RSPs across the enterprise, from workstations to mobile devices and APIs. For example:

  • In the video, Heester comments, “maintaining an accurate inventory of IT assets can assist a regulated entity in ensuring its implementation of recognized security practices is truly enterprise-wide,” He also noted, “Indeed, many, if not most, recognized security practices include IT asset inventories as elements.”
  • In response to a question in the video on how the HITECH amendment provides a “safe harbor” in the case of a HIPAA breach, Heester responds, “The HITECH amendment provides for the mitigation of civil money penalties and the remedies offered to resolve potential security rule violations.”
  • It was also noted that this amendment should not be construed as meaning that covered entities cannot be held liable for any RSP violation. Covered entities are not immune from paying penalties for violations of RSPs.

Covered Entities Beware

Penalties for violating HIPAA’s RSPs are subdivided into tiers based on the level of violation, including Tier1, Tier 2, Tier 3, and Tier 4, based on the organization’s size and type of offense. Under Tier 4, the maximum financial punishment per offense is $1,806,757.

Regarding access to Electronic Health Records, OCR can request any form of evidence from regulated entities to verify the implementation of RSPs, including third-party risk assessments and vulnerability scans.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x