The U.S. Department of Health and Human Services headquarters is seen Nov. 15, 2016, in Washington. (Photo by Mark Wilson/Getty Images)

A new video from the Office for Civil Rights outlines the evidence and documentation entities impacted by a healthcare data breach must provide the agency in order to qualify for the relief outlined in the HITECH Act’s safe harbor amendment.

The Trump administration signed HR 7898 into law on Jan. 5, 2021, which amended the HITECH Act and is seen as a way to incentivize provider organizations for meeting best practice cybersecurity requirements rather than handing down massive monetary penalties for entities experiencing a data breach despite best efforts.

The bill directs the Department of Health and Human Services to take into account the breached entity’s use of industry-standard security practices within 12 months of the reported security incident, when it audits the entity to determine possible enforcement actions.

HHS must also consider those measures when calculating those penalties tied to security incidents, while decreasing the extent and length of its investigation when the impacted entity is found to have met those security requirements.

“‘Recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under” NIST and the Cybersecurity Act of 2015, as well as other programs that address cybersecurity developed and/or recognized by regulations under other statutory authorities, according to the law.

The Office for Civil Rights began considering those measures during its investigations last year, explained Nick Heesters, senior advisor for cybersecurity for the HHS Office for Civil Rights.

John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, lauded the video and the bill’s importance, as it “provides significant incentive for hospitals and health systems to voluntarily implement recognized cybersecurity practices,” particularly in the “face of continued high-impact cyberattacks and increased government scrutiny of healthcare cybersecurity practices.”

Health organizations encouraged to review NIST Cybersecurity Framework, HICP for best practices

In the video, Heesters breaks down the recognized security requirements in order for entities to understand how it applies and what documentation is needed to reap the benefits of the safe harbor bill.

Provider organizations are urged to review the NIST Cybersecurity Framework and/or the Cybersecurity Act of 2015, or even the Health Industry Cybersecurity Practices (HICP), also known as 405d, which outline best practices. For smaller or medium entities, the HICP is tailored to meet the specific needs of those organizations.

Entities choosing the 405d can implement the cybersecurity practices, which also include technical volumes that detail needed measures for “asset management, endpoint protection, vulnerability management, and incident response, and other programs and processes that address cybersecurity,” Heesters explained.

“OCR will request regulatory or statutory citations from entities choosing ‘other’ recognized security practices showing they were developed, recognized, or promulgated by statute or regulation,” he added. “It’s important to note that implementing recognized security practices is an entirely voluntary process.”

However, for OCR to consider these elements, Heesters reminded entities that they must provide the agency with evidence these measures were in place for at least 12 months before the reported security incident. The implementation of these practices will only be viewed as a mitigating factor in its investigations and audits.

On the other hand, the language of the bill notes that “failure to implement recognized security practices will not be used as an aggravating factor in OCR investigations, and there is no liability for a regulated entity that has not implemented recognized security practices,” said Heesters, meaning that entities will not be penalized for not participating in the implementation.

The provided evidence is meant to be “illustrative — not comprehensive or exclusive.” As such, an entity can provide any evidence it deems can support it has adequately implemented best practice measures.

Heesters warned providers of three key distinctions: future plans to implement best practices without actual implementation is not sufficient, the measures must be implemented not merely written down, and those measures must be implemented across the enterprise.

“A binder of required security practices sitting on a bookshelf doesn’t demonstrate that they have been implemented,” he stressed. “Recognized security practices, as a whole, should be implemented in a manner that protects ePHI throughout a regulated entity’s enterprise.”