As a Halloween treat for HIPAA-covered entities and business associates, on October 31, the Department of Health and Human Services Office for Civil Rights (OCR) released a new video on its YouTube channel, in which senior OCR cybersecurity advisor Nick Heesters addresses recognized security practices, or RSPs. In this video, Heesters answers a handful of questions directed to the OCR in response to OCR’s June 2022 call for input on the implementation of RSPs. While the video should be viewed in its entirety, we discuss here some of the more noteworthy aspects: (1) the OCR’s position on the “voluntary” nature of RSPs, (2) the goal posts around implementation; (3) the importance of robust asset inventory practices, and (4) supporting evidence of RSP implementation.
The statutory root of RSPs is found in the 2021 HITECH Act amendment (the “Amendment”). As covered in a prior blog post, the Amendment creates an opportunity for entities to advocate for their security posture, by demonstrating implementation of RSPs for the preceding 12 months. The Amendment requires OCR to consider an entity’s voluntary RSP implementation as a mitigating factor in assessing monetary penalties, agreed corrective action plans, or favorable audit termination. With the goal of improving overall cybersecurity posture, this Amendment was intended to incentivize HIPAA-regulated entities to align their practices to industry-accepted frameworks.
Soon after the Amendment became law, many OCR data requests included a section on RSPs, leading many covered entities to wonder whether RSPs were truly optional. The OCR’s video answers this question, clarifying that RSP implementation is entirely voluntary. The agency will not use the failure to implement RSPs as an aggravating factor when determining penalties—there is no additional liability merely because an entity has not implemented RSP, nor will lack of implementation be considered an independent basis for a finding of HIPAA Security Rule non-compliance or violation.
However, covered entities and business associates should not be too quick to dismiss RSPs as truly “voluntary.” Regardless of OCR’s clarification, the HIPAA Security Rule still requires covered entities and business associates to implement certain technical safeguards. And RSP implementation provides an OCR-recognized path to Security Rule compliance. For this reason, we’re advising covered entities and business associates clients that RSPs should not, in practice, be considered optional. They go hand in hand with Security Rule compliance.
This brings us to the next key point made by Heesters. In the new video, the OCR emphasizes that to be able to claim RSP implementation as a mitigating factor, the entity “must adequately demonstrate RSPs in place for [the] previous 12 months.” Planned, future implementation is not enough: “OCR needs to see evidence that recognized security practices are actively and consistently in use throughout the regulated entity’s organization….” OCR will likely view insufficient any evidence showing only initial adoption, or adoption limited to certain relevant systems or data. In other words, long-term plans to achieve cybersecurity maturity will not score points under the Amendment, and neither will technical safeguards implemented in response to a breach.
Another point of emphasis in the new video is the confusion over “other” programs referenced in the Amendment. The Amendment defines RSP categories to include “standards, guidelines, best practices, methodologies, procedures and processes developed under” Section 2(c)(15) of the National Institute of Standards and Technology Act (NIST) Act, Section 405(d) of the Cybersecurity Act of 2015, or “[o]ther programs that address cybersecurity recognized by statute or regulation.” (emphasis added). In the video, responding to a question about what might fall into the “other” category, the OCR declines to identify any specific source of RSP. Instead, it merely states and reiterates that “OCR will request regulatory or statutory citations from entities choosing ‘other’ recognized security practices showing they were developed, recognized, or promulgated by statute or regulation.” As a practical matter, this could eliminate widely recognized sources of cybersecurity best practices that nevertheless do not bear the required relationship to “statute or regulation.” This will undoubtedly come as a disappointment to many security professionals who have designed organizational security programs based on sources such as CIS Critical Security Controls or CSA Cloud Controls Matrix, but the clarity from OCR is welcome.
Finally, the video addresses the importance of maintaining an inventory of all IT assets to ensure that RSPs are implemented enterprise wide. This again dovetails with the OCR’s expectation that an entity’s security risk analysis will include an inventory of all ePHI. In addition to this inventory, Heesters emphasized the importance of providing adequate evidence to demonstrate implementation of RSPs. The OCR views an RSP data request as a “standing request,” (i.e., ongoing request) and as an entity makes changes or enhancements to RSPs, the entity should supplement its submission to the OCR. Heesters then discussed the type of evidence of implementation the OCR is willing to consider, including:
- Policies and procedures;
- Project plans and meeting minutes;
- Diagrams and narrative detail;
- Training material;
- Application screenshots or reports; and
Vendor contracts.
This list should not be viewed as exhaustive. In the video, the OCR emphasizes what we already tell our clients: policies and procedures standing alone are insufficient to demonstrate implementation.
Though the video does not answer all questions about RSPs, there is no doubt that it contains valuable elaboration on how the OCR interprets the Amendment, which aspects of RSPs it considers most important, and what the agency is looking for in response to inquiries.
[View source.]