Last year, Congress directed the Secretary of Health and Human Services (HHS) to take into consideration efforts by organizations subject to HIPAA security standards (“covered entities” and “business associates”) to implement “recognized security practices” whenever HHS determines fines and other remedies for HIPAA security violations.

…the Secretary shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may—

(1) mitigate fines under section 1176 of the Social Security Act (as amended by section 13410);

(2) result in the early, favorable termination of an audit under section 13411; and

(3) mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule… [42 U.S. Code § 17941]

“Recognized security practices” are those “standards, guidelines, best practices, methodologies, procedures, and processes developed through the National Institute of Standards and Technology (NIST) and under the Cybersecurity Act of 2015. [15 U.S. Code § 272 c(15)]

To facilitate and describe the process for weighing covered entity and business associate efforts to protect health information from unauthorized use and access, HHS has issued a request for information (RFI). The goal of the RFI is to answer these and other questions:

How covered entities and business associates understand and are implementing ‘‘recognized security practices,’’ how they anticipate adequately demonstrating that recognized security practices are in place, and other implementation issues they are considering or would like OCR to clarify for the public and stakeholders through potential guidance or rulemaking. [Federal Register / Vol. 87, No. 66 / Wednesday, April 6, 2022]

The RFI solicits stakeholder and public input regarding security practices and harms from HIPAA violations to assist in development of framework for mitigation of fines and penalties for covered entities and business associates who are trying to satisfy HIPAA security standards.

For those who don’t remember, below is the NIST core framework for developing information security protocols and managing information security risks. Time to step up your game if you are behind in this work.