What does “Recognized Security Practices” mean?

We have talked in the past about the Office for Civil Rights conducting a minimum of a 12 month look back for data security/ HIPAA compliance efforts. If an organization suffers a breach, with proper documentation fines may be waived. This is becoming known as “Recognized Security Practices”. Every organization will have different documentation based on their network configuration and how data flows in and out of your information systems. This isn’t really anything new since data security requirements have been in place since the Security Rule was enacted. There have been updates over the last few years, and they are making some new revisions requiring covered entities and business associates to document their efforts now more than ever. NIST SP800-66 Rev. 2

This includes ensuring your policies and procedures are documented and followed by your staff. Our online system makes this task must easier by enabling the HIPAA compliance officer to download and share certain policies for employees to review. Plus, the confidentiality and acceptable use agreement that is signed via DocuSign demonstrates you have advised your employees they must follow your policies and procedures.

Another part of this documentation should be reports from your IT department/vendor. Again, depending on how you access ePHI (electronic protected health information), reports will vary from practice to practice. Some suggested reports are:

  1. Managed devices. You can use this as your inventory list instead of completing the list in your package. However, we still recommend documenting which devices have been used to access and/or store ePHI.
  2. In the report above, this may contain operating systems, patches / updates that have been applied, IP addresses, User ID, and a device name. All of this is useful information, and if the report does not contain this information, you need to look for another report.
  3. Software lists are very important since you can see if any employee has downloaded unauthorized software or if a computer has been compromised.
  4. Device health reports typically include information on anti-virus, last log in, some record failed logins, or that is in a different report. These are must have reports.
  5. Access logs may be located within the software the IT vendor utilizes to manage your network, within your domain controller, and within your EHR/PM software. These reports must be reviewed to ensure employees are only accessing ePHI based on their job function and to look for outside intrusions.
  6. Backup reports should demonstrate when backups are performed and to ensure they are successful.
  7. Summary reports are useful, but you must make sure you review them, and they can be lengthy.

There are times when certain devices cannot be updated or upgraded due to the nature of the equipment and the cost to do so. This would not necessarily be a violation if you demonstrate other means to protect your system. For example, either removing the outdated equipment from internet access or placing it on a separate network so it would not be accessible by other drives that contain ePHI. Your IT vendor should be able to guide you through the proper process based on your particular network.

Annual audits by a third party are highly recommended unless your IT vendor specializes in network security. Often, these two types of companies work well together. The IT vendor handles the day-to-day operations, and the network security companies hardens the systems.

Some organizations complain that this costs too much money. Trust me, this is much less expensive than a data breach. Plus, if you plan on obtaining cyber liability insurance, carriers are now asking detailed questions about data security and compliance efforts. If you do have a data breach and you do not have “qualified documentation”, your claim could be denied. Of course, the term “qualified documentation” is open to interpretation. They do have an outlandish wish list from what I have seen. Although I have always been a proponent of this insurance, I am starting to believe unless you already have a policy, you may not be able to obtain one. If you do apply now, you will need to have HEAVY data security in place. Which you should have anyway!

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

The Office for Civil Rights seeks public comment on Recognized Security Practices and Sharing Civil Money Penalties and Monetary Settlements

The Office for Civil Rights (OCR) released a Request for Information (RFI) seeking comments from all stakeholders including covered entities, business associates, patients, and their families. The growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information (ePHI). 

This RFI will enable the OCR to consider ways to support the healthcare industry’s implementation of recognized security practices. The RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.

Through today’s RFI, OCR is seeking public comment on the following provisions of law:

  • Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates1 when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit.  Public Law 116-321 went into effect when it was signed into law on January 5, 2021.

    One of the primary goals of this provision is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”

    The RFI solicits comment on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.
  • Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense. Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term.

    The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.

OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities and their business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.

Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more:

https://www.federalregister.gov/documents/2022/04/06/2022-07210/considerations-for-implementing-the-health-information-technology-for-economic-and-clinical-health

Please note that comments must be submitted by June 6, 2022 in order to be considered.

Now is the time to make sure you are protecting your data! To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

If you would like to experience the system, scroll down and click schedule a demo.

“Simplifying HIPAA through Automation, Education, and Support”

©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC