Two weeks ago, US Health and Human Services release a half-hour video to "...educate HIPAA regulated entities on the categories of recognized security practices and how entities may demonstrate implementation..." Here are the notes we took from watching the presentation and we recommend HIPAA Security Officers considering alternate recognized security practices (RSP) to remember that: 1) these RSP do NOT replace the requirement to remain HIPAA compliant, and; 2) that the RSPs are voluntary.
As a reminder, The HITECH Act was amended in 2021 directing the Office of Civil Rights (OCR) to consider regulated entities RSP implementation during OCR Security Rule enforcement or compliance activities (e.g. audits, etc.). These RSPs must demonstratively be in place (i.e. the practices must be used across the enterprise where applicable) for the previous 12 months and may mitigate civil monetary penalties, agreements or early, favorable audit termination. Note that it is not sufficient to establish and document adoption (nor is it to only plan to implement same...). The three recognized RSPs are:
NIST Act Section 2(c)(15)
Cybersecurity Act of 2015 Section 405(d), and
"Other" programs that are recognized by statute or regulation and address cybersecurity
The NIST Cybersecurity Framework, available here. This framework is centered around a five-phase cycle of identify, protect, detect, respond and recover. Within the framework are implementation categories and subcategories (e.g. asset management, governance, risk assessment and risk management in the Identify phase, etc.)
The newly developed Health Industry Cybersecurity Practices (i.e. 405(d), available here) has two technical implementation volumes; one for small organizations and one for medium and large organizations. A Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients document provides the overview and includes a "best fit" decision table for affected entities to use.
Lastly, OCR will recognize implemented cybersecurity practices and controls from a cybersecurity framework that is "...explicitly recognized by statute or regulation..." The presentation did not provide any links to these "other" programs or frameworks.
Click the graphic below if you want to watch the source video. There is more to the video than is presented here. Bring popcorn and...
Stay (HIPAA) safe,