New OCR Video Clarifies HITECH Amendment



On October 31st, the HHS Office for Civil Rights (OCR) released their promised educational video on the recognized security practices (RSPs) addressed in last year’s HITECH amendment. The presentation was given by the senior advisor for cybersecurity at the OCR, Nick Heesters.

What Was the HITECH Amendment?

In a nutshell, the amendment from January 2021 required the OCR to “take a covered entity’s recognized security practice implementation from the past 12 months into account when conducting Security Rule audit and enforcement activities.”

It’s important to note that these RSPs were not specifically outlined, giving healthcare providers the ability to implement practices that best fit their organization and to have some control over their compliance efforts. This flexibility within the requirement raised a lot of questions, which we discussed in our newsletter The Medcurity Report earlier this year, after the OCR had gotten responses to their request for information.

What Was Explained in the Video?

In the new video, Heester addressed several of these questions, providing some more guidance and context around how organizations can and should be implementing RSPs. While the OCR will place no limits on the types of security practices that an organization can submit to them for consideration in the case of an audit, it was also clarified that no implemented RSPs can entirely exempt providers from being fined or required to work through a corrective action plan.

However, as stated in the amendment the OCR will consider a provider’s previous security efforts in their investigation of a HIPAA breach as a “mitigating factor.” Covered entities should be aware of the importance of the privacy and security practices addressed in the video, but a large “gray area” still surrounds this requirement.

Your team at Medcurity is here to help you choose the right security practices for your organization. If you have questions about your current security posture or about the RSPs addressed in the HITECH amendment, please don’t hesitate to reach out to us.