The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced June 10, 2022 that it is producing a video presentation on “recognized security practices” as set forth in the recent amendment of the Health Information Technology for Economic Health Act (HITECH Act) and is seeking questions from the public that OCR could address during the presentation. The video is expected to be available for viewing this summer and will be welcomed by those covered entities and business associates as the statutory amendment is short on details about how OCR will implement the new provisions.

The HITECH Act now requires OCR to consider in certain Security Rule enforcement and audit activities whether a covered entity or business associate (a regulated entity) has adequately demonstrated that it had recognized security practices in place for the prior twelve months.  Regulated entities that can demonstrate to OCR that they have had recognized security practices in place for the prior twelve months may qualify for mitigation of fines and other remedial measures.

In addition to the upcoming video presentation, OCR recently issued a Request for Information (RFI) regarding the “recognized security practices.”  See our previous Health Law Rx blog on the RFI comment period for the RFI closed June 6, 2022.

Pending further regulatory activity, OCR is asking interested parties to submit questions to be addressed during its video presentation. According to OCR’s email announcement, the video presentation is intended to “educate regulated entities on the categories of recognized security practices and how entities may demonstrate implementation.”  OCR plans to address these topics in the video:

  • The 2021 HITECH Act amendment regarding recognized security practices;
  • How regulated entities can adequately demonstrate that they have recognized security practices in place;
  • How OCR is requesting evidence of recognized security practices;
  • Resources for more information about recognized security practices; and
  • OCR’s recent RFI on recognized security practices.

Regulated entities that want to submit questions must act quickly by emailing OCR at no later than Friday, June 17, 2022. Covered entities and business associates should also watch for an announcement from OCR with the release date of the video.  In the meantime, regulated entities should begin implementing recognized security practices, if they have not already done so, and assess how they can document that such practices are in place and operational.