OCR Releases New “Recognized Security Practices” Video


On October 31, 2022, the last day of National Cybersecurity Awareness Month, the U.S. Department of Health & Human Services (DHHS), Office for Civil Rights (OCR) published a new video presentation on “Recognized Security Practices” to assist HIPAA covered entities and business associates. Topics covered in the video include:

• The 2021 HITECH Amendment regarding recognized security practices
• How regulated entities can demonstrate that recognized security practices are in place
• Details about the evidence of recognized security practices that may be requested by OCR in the event of a HIPAA Security Rule investigation or audit
• Where to find more information about recognized security practices
• Answers to a selection of questions submitted to OCR in June 2022 on recognized security practices.

By way of background, on January 3, 2020, the Health Information Technology for Economic and Clinical Health (HITECH) Act was amended, creating a kind of “safe harbor” for HIPAA covered entities and their business associates when facing potential fines and other penalties under HIPAA. If the covered entity or business associate can “adequately demonstrate” to the Secretary of DHHS that it had “recognized security practices” in place for at least the 12 month period prior to the conduct in question—HIPAA violation, breach event or audit—the Secretary may determine to mitigate any fines to be assessed, favorably terminate early an audit that has been undertaken, or mitigate the remedies in any settlement agreement that may be entered into between the covered entity or business associate and the government. In short, a covered entity or business associate that has experienced a data breach incident and is responding to the related DHHS investigation and document requests, or is otherwise under a HIPAA audit or investigation, may be able to reduce or eliminate fines and penalties if it can sufficiently demonstrate its implementation of recognized security practices.

For more information or if you need assistance with your HIPAA compliance program, please contact:
Lani M. Dornfeld, CHPC | 973.403.3136 | ldornfeld@bracheichler.com

Related Practices:   Healthcare Law

Related Attorney:   Lani M. Dornfeld