As many readers will recall, the Health Insurance Portability and Accountability Act of 1996 was relatively “toothless” until the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 was enacted to impose and collect financial penalties for violations. Both of these laws have continued to evolve, which equates to adding new definitions requirements, and sanctions. The current change has to do with the definition of how to decide whether or not a covered entity or business associate had “recognized security practices” in place for at least 12 months prior to being disciplined.
As described in the National Law Review, the latest of these revisions was the HITECH amendment in January 2021 to direct the U.S. HHS to redefine “recognized security rules” during investigations of Health Insurance Portability and Accountability Act (HIPAA) violations (HR 7898, Pub. L. 116-231). In essence, the HITECH ruling regarding recognized security practices creates a “safe harbor” for covered entities. The Department of Health and Human Services (HHS) ‘s Office for Civil Rights (OCR) must consider 1) an organization’s attempt to follow appropriate actions when assessing fines or remedies or 2) determining the appropriate length of an audit. The OCR is now inquiring about such practices in its inquiries and audits.
What Are Recognized Security Practices?
According to the recent revisions to the HITECH Act, “recognized security practices” include standards, guidelines, best practices, methodologies, procedures, and processes developed by recognized authorities, such as Section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, Section 405(d) of the Cybersecurity Act of 2015.
How Do You Demonstrate the Adoption of Your “Recognized Security Practices”?
Office for Civil Rights (OCR) has recently asked covered entities and business associates that were targets in data breach investigations regarding protected health information (PHI) if they have implemented any recognized security practices. HIPAA security officials should prioritize the following security practices in addition to complying with existing HIPAA security rule requirements, including their security framework. Such a framework involves a set of policies and procedures that guide the development, implementation, and management of the organization’s security.
Needed Documentation to Qualify
Covered entities or their business associates wishing to take advantage of the safe harbor created by HR 7898 must be able to prove that they had these documentations in place at the time of any potential infraction:
- Documentation of training content provided to workforce members, as well as dates of training
- Dates of HIPAA policy development and plans for project implementation showing when security measures took effect
- Names of the individuals responsible for ensuring that employees follow recognized security practices
- Detailed documentation of how the organization has implemented standard security measures to avoid HIPAA violation
- Security practices documented that meet the relevant definition as defined in HR 7898
- Practices and procedures that demonstrate adherence to a standard or framework that qualify as good security practices
The first step towards incident response planning for covered entities and business associates should be to evaluate whether and to what extent current documentation sufficiently demonstrates recognized security practices. Currently, if an organization doesn’t conform its security practices to any of the recognized legal standards cited above, it would be a good idea to make the change. Having an effective HIPAA security compliance program based upon these standards is increasingly important for two reasons:
- Preventing material data breaches and minimizing their severity
- Should a breach ever occur, it can serve as affirmative evidence for regulatory investigations and any lawsuits arising from the intrusion.
The information above will help you prepare for a HIPAA compliance audit. However, your efforts do not stop there. Risk-reducing measures are essential to protect your organization, your patients, and their data from violating HIPAA security rules.
Offering Telehealth? Develop Legal & Ethical Compliance
Improve Telehealth Competencies; Legal, Regulatory & Ethical Compliance
Is compliance an issue? Improve staff competency and compliance by offering evidence-based telehealth training with consultations. Make your telehealth services competitive.