Recognized Security Practices
Why You Should Care About Recognized Security Practices
Recognized Security Practices Amendment to HITECH Act 2021
A new HITECH amendment which was recently passed into law, gives medical practices and business associates an incentive to implement consistent recognized security practices. Businesses that can prove they have been following these clearly defined guidelines are assumed to be doing their best to properly protect important data. So if a breach does occur, HIPAA fines and other penalties may be reduced if you can prove that you have had the proper policies and procedures implemented for at least 12 months.
What is the new 2021 HITECH amendment about?
Amendment to HITECH Act 2021 (Public Law 116-321, HR 7898)
This new amendment to the HITECH Act creates an incentive that could mitigate the enforcement requirements OCR follows in relation to Security Rule violations. It adds three specific enforcement considerations if you can prove you have followed what it designates as “recognized security practices” for the previous 12 month period.
- Mitigates fines issued in civil money penalty cases
- Results in the early, favorable termination of an audit done under the random audit requirements
- Mitigates the remedies negotiated between OCR and organizations that reach settlements and CAP arrangements (the thing we see the most)
As mentioned above, to take advantage of the new amendment’s value you must prove you have been following these “recognized security practices” for the prior 12 months. This means you can’t suddenly start following the guidelines to solve a problem that already occurred. If you want this enforcement consideration option in your corner, you must have the proper policies built into your organizational processes and procedures well in advance of a problem to qualify. If you can prove it, though, it could mean much welcome relief for victims of cyber attacks who also face HIPAA compliance investigations, penalties, and corrective action plans.
What are these recognized security practices?
Amendment to HITECH Act 2021
Under the information icon is the legal definition of Recognized Security Practices stated in the amendment.
That 2(c) bit is the law that directed NIST to create the Cybersecurity Framework for Critical Infrastructure Industries. So the specifically designated practices are NIST CSF and the recommendations developed by the 405d Task Group such as HICP. We have been helping our clients follow these procedures from the beginning, so this validation certainly feels good. Of course, we have also discussed the use of CIS20 and other freely available standards, which meets these definitions as well.
Recognized Security Practices Defined
The term “recognized security practices” means the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule.
Do I have to follow “recognized security practices” to be HIPAA compliant? No.
Amendment to HITECH Act 2021
No. It is simply a recommended option to help your organization mitigate the impact of HIPAA security violations and audits. You do not have to do this to meet HIPAA security regulations, and there is no penalty for choosing not to follow these practices.
It is not a guarantee that you will get a pass in enforcement either. It just means they must take it into account when violations are found as they go through the enforcement process.
How can Kardon help you take advantage of this opportunity?
You Ask, We Answer
By working with us, you are already on the right path! We have been using similar guidelines for years, and talking about them on a regular basis on our Help Me With HIPAA podcasts.
In fact, we have recorded tons of podcast episodes about these topics since we began this journey. The first time we talked about NIST CSF was in August 2015, and we covered CIS 20, HITRUST, and HICP several times.
One very important piece of good news is that Donna Grindle, Kardon CEO and resident Subject Matter Expert on all things Cybersecurity and HIPAA, has been on the 405d Task Group working on updates and additional content since 2019. We know what is going on with HICP and have a voice in its future. You can’t get much closer to the pulse than that!
Recognized Security Practices included in Kardon Services
Because we have been proponents of using these types of frameworks for years, it has been built into most of the services we provide from day one. Many areas were already under development to add even more references to these recognized security practices in our content long before the bill was introduced, much less passed into law. Check out some of them below:
Security Risk Analysis and Assessment Reports
Kardon Security Risk Analysis and Assessment reports have been referencing NIST CSF requirements for years. Our planned 2021 updates to this content and its processes already included adding the HICP 405d specific references.
Policies and Procedures Solution
Kardon Policies and Procedures Solution cross referenced to the NIST CSF on day one. We have already built the cross reference to HICP 405d and had already planned to add those references to to the documents in 2021.
Healthcare Security Awareness Training
Kardon’s newly released Healthcare Security Awareness video series is built specifically following the HICP 5 Threats discussions and examples so you can tap into all the freely available information released by HICP 405d. That series was added to our new Workforce Training Portal in 2020. It is also available in SCORM format for those with their own LMS.
The HIPAA Boot Camp
We have taught the importance of considering use of the NIST CSF in each of our HIPAA Boot Camps.
405d HICP was included in summary formats available before the full resources were released in Dec 2018. Then fully covered in sessions in each one we hosted after it came out.
We have also covered the CIS 20 and other framework concepts in our Boot Camps.
We have been developing a plan to expand our use of these recognized security practices prior to this bill’s introduction. We strongly believe that using these references provides for a much more informed, effective and prepared privacy and security program.
We built the foundation for this kind of legislation long ago, since we knew it would come at some point in the future. Now that this amendment has passed, Kardon is moving forward with our expansion plans on a much more aggressive schedule. This amendment now provides the clarification we need to build on our foundation more fully so our clients are as protected as possible should a breach occur.
Where can I learn more?
Remember, you have to prove you have been following these practices for 12 months, so every day you delay puts you further away from being able to claim the advantages of this incentive.
Learn more about this incentive program in our additional resources section: Click Here