IImplementation of Recognized Security Practices (RSPs) for at least 12 months provide covered entities and business associates with the opportunity to reduce fines and penalties for violations of the HIPAA security rule.
On January 5, 2021, Congress passed an amendment to the HITECH Act that requires the OCR to take into account the Recognized Security Practices of covered entities and business associates when they are able to show that RSPs have been in use for the 12 months prior to a HIPAA breach incident.
If RSPs are in place, the OCR may mitigate fines and remedies and allow an early and favorable termination of an audit..
Over the past months, the amendment has generated questions related to the uncertainty about what constitutes RSPs, and how to demonstrate their implementation. In response, on October 31, 2022, HHS-OCR released a video that addresses some of these concerns about RSPs.
What Are Recognized Security Practices?
The OCR provided the following list of RSPs:
- Cybersecurity practices that align with NIST’s Cybersecurity Framework.
- Recommendations and guidance provided under Section 405(d) of the Cybersecurity Act of 2015. Covered entities and business associates can implement the cybersecurity practices found in the Health Industry Practices: Managing Threats and Protecting Patients technical volumes I and II. Volume 1 is tailored to small and medium organizations. Volume 2 is for large organizations.
- Other programs that address cybersecurity and are explicitly recognized by statute or regulation. HIPAA-regulated entities are free to choose the Recognized Security Practices that are best suited to their organization.
The HHS 405(d) Program is a collaboration between the healthcare industry and the federal government to “raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats.”
The program identified and focuses on five current cybersecurity threats and provides practical recommendations within ten health industry cybersecurity practices (HICP) that can be used to mitigate the threat risks. The five cybersecurity threats are:
- Email phishing
- Attacks against connected medical devices
- Insider, accidental or intentional Data Loss
- Loss or theft of equipment or data
The 10 cybersecurity practices are:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
The HICP Publication incudes a main document, two technical volumes, and a Resources and Templates Volume:
- The main document provides an overview of current healthcare related cybersecurity threats.
- Technical Volume 1 addresses 10 Cybersecurity Practices for small healthcare organizations.
- Technical Volume 2 addresses 10 Cybersecurity Practices for medium-sized and large healthcare organizations.
- The Resources and Templates Volume provides additional resources, templates, and supplementary materials.
- RSP implementation project plans and meeting minutes
- Diagrams and narrative detail of RSP implementation and use
- Training materials regarding RSP implementation and use
- Application screenshots and reports showing RSP implementation and use
- Vendor contracts and statements of work regarding RSP implementation
The HIPAA Security Rule does not require covered entities and business associates to implement recognized security practices, including the NIST Cybersecurity Framework or the approaches under Section 405(d). However, many of the RSPs overlap with the HIPAA Security Rule safeguard requirements.
RSPs are not a substitute for a HIPAA security analysis and management plan. RSPs specifically address cybersecurity related threats. The HIPAA Security Rule requires the identification and risk reduction or mitigation of all possible threats and vulnerabilities to ePHI, including cyber threats.
- RSPs that are in place for at least 12 months provide an opportunity to improve outcomes when facing a HIPAA breach.
- When conducting or updating a HIPAA Security Analysis, identify recognized security practices and document RSP implementation.
- RSPs do not provide a safe harbor that grants immunity from all liability for HIPAA Security Rule violations, but they do provide the opportunity for reduction of fines and remedies and possibly allow an early and favorable termination of an OCR audit.