Recognized Security Practices – Take Heed

On January 3, 2020, the Health Information Technology for Economic and Clinical Health (HITECH) Act was amended, creating a “safe harbor” for HIPAA-covered entities and their business associates when potentially facing fines and other penalties under HIPAA. If the covered entity or business associate can “adequately demonstrate” to the Secretary of the U.S. Department of Health & Human Services (DHHS) that it had “recognized security practices” in place for at least the twelve-month period prior to the conduct in question—HIPAA violation, breach event or audit—the Secretary may determine to mitigate any fines to be assessed, favorably terminate early an audit that has been undertaken, or mitigate the remedies in any settlement agreement that may be entered into between the covered entity or business associate and the government. In short, a covered entity or business associate that has experienced a data breach incident and is responding to the related DHHS investigation and document requests, or is otherwise under a HIPAA audit, may be able to assert this safe harbor to reduce or eliminate fines and penalties.

On April 6, 2022, DHHS published a Press Release about its Notice in the Federal Register of the same date security practices. The comment period closed on June 6, 2022, and the remainder of that process is pending. On June 10, 2022, the DHHS Office for Civil Rights (OCR) announced on its list serve that it is producing a pre-recorded video presentation for covered entities and business associates on recognized security practices “to educate regulated entities on the categories of recognized security practices and how entities may demonstrate implementation.” OCR indicated the video should be available sometime this summer and that a further announcement will be made.