OCR to Release Video on HITECH Recognized Security Practices

June 13, 2022 - The HHS Office for Civil Rights (OCR) announced plans to produce a pre-recorded video presentation on the Health Information Technology for Economic and Clinical Health Act (HITECH) recognized security practices.

“The statute requires OCR to take into consideration in certain Security Rule enforcement and audit activities whether a regulated entity has adequately demonstrated that recognized security practices were ‘in place’ for the prior 12 months,” OCR said in a statement released through its HIPAA Privacy Rule listserv. 

“This presentation is intended to educate regulated entities on the categories of recognized security practices and how entities may demonstrate implementation. The video will be available this summer, and an announcement is forthcoming.”

In early April, OCR issued a request for information (RFI) seeking feedback on recognized security practices under HITECH. In January 2021, Congress enacted an amendment to HITECH “to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.”

The amendment gave covered entities and business associates room to interpret what “recognized security practices” were right for their organizations.

Among other industry groups, the Connected Health Initiative (CHI) and the Medical Group Management Association (MGMA) both responded to the RFI, urging HHS to provide clarity, best practices, and guidance on HITECH measures.

MGMA recommended that HHS continue to recognize the definition of “recognized security practice” in order to ensure that providers have the flexibility to adopt the security practices that are most relevant to their organizations.

In its response, CHI noted that current security standards are likely to evolve, and new ones will surface over time. With this in mind, CHI urged OCR to include new and emerging risk management security standards in its recognized security practices.

The upcoming video presentation will be led by Nicholas Heesters, OCR’s senior advisor for cybersecurity. OCR provided the following talking points that will be addressed in the video:

• The 2021 HITECH Amendment regarding recognized security practices
• How regulated entities can adequately demonstrate that recognized security practices are in place
• How OCR is requesting evidence of recognized security practices
• Resources for information about recognized security practices
• OCR’s Request for Information (RFI) on recognized security practices

If covered entities or business associates have questions about recognized security practices that they would like OCR to address, they can send them to OCRPresents@hhs.gov by June 17.