Feds Signal New Guidance on 'Recognized Security Practices'Video to Address HITECH Act Changes Affecting HIPAA Enforcement Actions
The federal government will preview new cybersecurity guidance for the healthcare industry via a pre-recorded video presentation slated for a summer release while also asking for public input on the topics its officials will address.
In a Friday email to stakeholders, the Office for Civil Rights within the Department of Health and Human Services said the video will guide regulated healthcare entities on the "recognized security practices" that regulators will consider when determining HIPAA enforcement actions against organizations.
The email announcement came shortly before the office also issued new guidance on Monday for audio-only telehealth sessions.
Security Practices Video
A 2021 update to the HITECH Act of 2009 requires the government to review whether a covered entity or business associate has adequately demonstrated that "recognized security practices" were in place during the prior 12 months (see: Bill Spells Out New Factors to Weigh in Setting HIPAA Fines).
A review can be triggered by the aftermath of a breach of protected health information or during a compliance audit. Data collected by Verizon shows the healthcare industry last year underwent 11% of recorded data breaches, making it the second-most-affected industry, after finance.
HHS OCR says topics planned for the upcoming security practices video include:
- How OCR is requesting evidence of recognized security practices;
- Resources for information about recognized security practices;
- OCR's April request for information on recognized security practices.
The office says it is seeking public input about additional questions the agency might address in the video.
In April, the office issued a request for information seeking input on improving the agency's understanding of how the industry is implementing recognized security practices with the goal of improving enforcement of HIPAA (see: HHS Seek Input on Critical HIPAA Enforcement Considerations).
By the June 6 deadline for responses, the office had received 91 comments on the RFI.
Industry experts told ISMG the video is a first step in the office's response to the comments and the related new guidance that is forthcoming.
"The agency is signaling that it will be implementing the legislation by issuing guidance that will define what are recognized security practices and how organizations can demonstrate that recognized security practices are in place," says privacy attorney David Holtzman of the consulting firm HITprivacy.
Guidance will incentivize better security while avoiding the delays inherent to a formal rule-making process, he adds.
Defining 'Recognized' Security Practices
Regulatory attorney Rachel Rose tells ISMG the guidance will almost certainly refer back to the cybersecurity framework developed by the National Institute of Standards and Technology.
"NIST has long been held as the gold standard for recognized security practices because the government agencies are required to adhere to them, as well as government contractors," she says.
HHS for years has offered a crosswalk linking HIPAA to the framework. The Health Sector Coordinating Council also has on tap a "quick start guide" to cybersecurity practices based on the framework.
New Telehealth Guidance
HHS OCR on Monday continued in the vein of audiovisual-themed guidance with new guidance pertaining to compliance with the HIPAA rules involving audio-only telehealth.
The guidance aims to clarify how covered entities can provide those services in compliance with the HIPAA Rules, including for when the current period of OCR coronavirus-fueled discretion about enforcement for telehealth comes to an end.
When a public health emergency went into effect in 2020 at the onset of the pandemic, OCR granted major flexibilities to covered entities and business associates by exercising enforcement discretion for some requirements of the HIPA privacy and security standards.
Under an April 2020 notice, the office said healthcare providers can use certain applications to provide telehealth "without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency" (see: COVID-19: HHS Issues Limited HIPAA Waivers).
The new guidance tells providers they can conduct audio telehealth sessions over the telephone without entering into a business associate agreement with the telecom connecting the callers. HIPAA complications set in once the session jumps to an exchange of personal health information that's recorded for later use, such as by a healthcare app. In that case, the healthcare provider will need an agreement with the app provider.
The guidance is "a first step toward preparing healthcare organizations for the expiration of the COVID-19 public health emergency," Holtzman says.
"This guidance is a signal that HHS is anticipating that the PHE will be allowed to expire in mid-September."