The Recognized Security Practices Safe Harbor and the OCR

It is hard going a day without seeing a cybersecurity attack in the headlines. Over the past year and a half, the number of attacks has increased by over 350%. Healthcare entities of all sizes are an enticing target for attackers because just 1 patient record can fetch $200 or more on the dark web. If a hacker steals a practice’s entire patient database, it adds up to a very nice payday. Avoiding a cyberattack like ransomware, and the increasing costs to recover and repair the damage to your business’s reputation is a huge incentive to ensure you have appropriate security policies, procedures, and technical controls in place.

A new incentive referred to as the Safe Harbor for Recognized Security Practices was signed into law earlier this year. The OCR’s regional offices are required to investigate all reported breaches involving the PHI of 500 or more individuals. They have the option to investigate smaller breaches, too. When the OCR investigates a breach, the entity under investigation has the opportunity to show that it has had recognized security practices in place for (at least) the past 12 months. If they do, the safe harbor law requires the OCR to consider a lower penalty and lessen the severity of other methods of enforcement, such as a corrective action plan. The length of time of the investigation and its depth or level of detail must also be reduced. These new requirements could potentially save a provider or business associate a lot of time, money, and worry.

What are recognized security practices? The safe harbor law provides two examples and a general definition. Basically, any security practices that have been developed from or recognized by-laws, regulatory agencies, and official guidance meet the requirement. Neither the HIPAA Rules nor the OCR requires a particular source or program to follow for security practices. Security practices include things like ensuring passwords are long and complex, keeping an accurate inventory of hardware and software that handle PHI, performing an annual risk analysis, and training employees when hired and annually. Guidelines published by the National Institute of Standards and Technology (NIST) are specifically referenced in the safe harbor law and the OCR provides educational material and links to the NIST Cybersecurity Framework and its other guidance on implementing the HIPAA Security Rule on its website.

Another perk of the safe harbor law is that the OCR cannot increase fines or penalties if the security practices an entity has in place meet the standards of the HIPAA Security Rule but are not part of a specific program or from a particular organization. In other words, you can mix and match any practices that meet the standards of the HIPAA Security Rule.

It is important to remember that there is no such thing as HIPAA Certification or being “HIPAA Certified.” The Office of the National Coordinator for Health Information Technology (ONC) certifies technical specifications in EHR software, but no other area of HIPAA compliance has an official certification by a government agency. Endorsements by commercial programs show an entity’s practices meet the standards of that program. They cost money and require ongoing fees to continue using the endorsement. Your IT service provider is a business associate and required to comply with the HIPAA Security Rule, Breach Notification Rule, and parts of the Privacy Rule. They can support the technical component of your HIPAA compliance program.

Total Medical Compliance gives clients the tools and first-class support to help comply with the HIPAA Rules and training requirements. TMC’s policies, procedures, forms, and guides are kept current to reflect changes to rules and regulations. Clients receive customized support during audits, investigations, and breaches.