OCR Recognized Security Practices Guidance – Ep 384 

OCR recently released a video on their Recognized Security Practices initiative. The intent is to teach HIPAA regulated entities on what Recognized Security Practices is and what is required to prove its implementation in your organizations. We will review the video today and give you some key takeaways from it.

In this episode:

OCR Recognized Security Practices Guidance – Ep 384

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Mar 12, 13, 14 and 15, 2023

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

Entire HIPAA Say What!?! Episode

OCR Recognized Security Practices Guidance

The video, featuring Nick Heesters, was released on Halloween. It isn’t scary though. They have to do things properly when speaking on these things. We have it embedded above and a link to it here: OCR Recognized Security Practices Video Presentation

Here is the opening explanation of what the video is all about:

The point is made very specifically that you are not required to implement Recognized Security Practices (RSP) to be compliant with HIPAA. In fact, he clearly states that:

So, don’t think you can have all your RSP documentation to get out of an investigation into privacy violations.

• They are calling it either recognized security practices or RSPs.
• First he goes through all the things we have covered many times about this new amendment.
  • Next, is a review of the NIST CSF explaining where to get information and the IPDRR involved.
  • Then, HICP is reviewed. Main guide plus tech volumes.
  • Other options are allowed but they must be “explicitly recognized by statute or regulation”. Those require specific reference as to where the framework or practices are legally required. This is where the lawyers have to get involved. Another reason I recommend making sure you can cross reference to NIST or HICP to give yourselves an easier path.
• We already knew they were implementing the consideration of recognized security practices last year when we saw it on some requests. Since then we have seen it on every OCR data request that involved questions about the Security Rule.
• If you are going to demonstrate you have implemented recognized security practices there are very specific points about the evidence they expect to see as full implementation:
  • “Plans to implement RSPs at a future date is not evidence of implementation.” Just saying you are going to do it isn’t good enough. You need to already be doing it and have it well integrated into your risk management plans.
  • “merely having written recognized security practices, absent actual implementation of the practices is insufficient. Implementation means the practices have been disseminated to necessary workforce members, and the practices are actually being used by the entity. A binder of RSPs sitting on a bookshelf doesn’t demonstrate that they have been implemented.”
  • “recognized security practices should be implemented throughout the enterprise. For example, it is not sufficient to implement RSPs for one workstation, one application, or only for a narrow slice of an entity’s organization.”
• [18:44] This point is very important. Something we will be helping push a bit harder with those who are responding to these requests in an active case.
  • “Regulated entities are also asked to notify OCR of a change in status in the implementation of its RSPs and if there is additional, new, or updated evidence of RSP implementation the regulated entity would like OCR to consider.”
  • “the data request should be considered as a standing data request, and as a regulated entity adds or makes changes to their recognized security practices, they can continue to provide that information to OCR.”
  • “a regulated entity doesn’t only have one opportunity to provide evidence of implementation of recognized security practices.”
• The list of example documentation to demonstrate implementation are basically what we see in the requests already.

What constitutes implementation throughout the enterprise? E.g., servers, workstations, APIs?

There is a lot in the discussion but to me what I hear is if the practice says something like maintain an inventory then you can show that you have that inventory. If it says use MFA then show you are actually using MFA by showing when it was implemented, where, and how.

Will mappings to the NIST Cybersecurity Framework be acceptable?
This one we have already mentioned many times. If what you are doing maps then present your documentation based on the NIST mapping. That doesn’t mean just show you have the map. It means show what you are doing that proves you and how it applies to NIST. Seriously, do not make this complex. They expect to see proof of NIST if you say you are using it then show your work. Again, he reiterates that list of examples from before.

There are two named “recognized security practices” in the regulation. Are there others?

The answer is exactly what we started with – there is an “other” category. It was interesting that he did note this point about potential other RSP recognized:

The last question:

Will OCR rely on (1) self or third-party assessment reports, (2) artifacts such as corporate policy documents and vulnerability scan reports based on specific OCR requests, or (3) a combination of the two approaches to provide the evidence of recognized security practices?

He then goes on to say the same points about what kind of evidence you could supply.

[39:20] Our Big Takeaways

• They are not kidding about the 12 months of proof.
• If you are improving your recognized security practices implementation and you are in an unfortunate situation like an investigation requiring you to supply information to OCR you definitely need to send them an update of your progress.
• Yes, it is voluntary but they will be asking about it every investigation. You won’t be punished for not having it but at the same time, you better have every other t crossed and i dotted.
• If you are considering doing nothing, check with your insurance provider and your lawyer before locking that in.

Of course, we highly recommend using HICP to implement your recognized security practices. It is designed specifically for all different types of organizations and adapts to the various size and complexity of organizations. Like we said last week, there is something to say about being healthcare specific and easy to implement. Plus, with the mapping to NIST CSF built right into it, you are building the foundation for that if you need to go further.

Watch Nick’s video on Recognized Security Practices and consider adopting it in your organization. If you have already started down that path and are implementing the NIST Cybersecurity Framework, great! Continue to do so. If not, and you are in healthcare, evaluate the HICP approach. It is much easier and provides you with a good foundation for security. The 405(d) task group continues to release resources to help keep you up to date on security protections.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.