top of page

HIPAA Penalty/Audit Relief Cybersecurity Standards

Admin

Updated: Jul 8, 2023

TLDR: Implement specific Recognized Security Practices and you may be eligible for favorable early termination of an audit and/or relief of regulatory fines.

Overview The HITECH amendment signed into law Jan 5, 2021 requires OCR to consider a regulated entity's implementation of Recognized Security Practices (RSPs) for the preceding 12 months when determining enforcement actions such as fines (Civil Monetary Penalties), audits, resolution agreements, and other remedies for potential violations of the HIPAA Security Rule.


What security standards are eligible for this program?

Short answer: The NIST Cybersecurity Framework (CSF) or The Health Industry Cybersecurity Practices (HICP)


Long answer: Section 2(c)(15) of the NIST Act (aka NIST CSF), Section 405(d) of the Cybersecurity Act of 2015 (aka HICP), and "other" programs that address cybersecurity and are recognized by legal statute or regulation.


What are the requirements to be eligible for relief?

One of the eligible standards must be fully implemented in the entire organization for at least the preceding 12 months. "Fully implemented" means the entire standard must be implemented with all of its controls. "Entire organization" means that the controls must be implemented on all infrastructure in the organization (implementing the controls on a small subset of machines is insufficient). "Preceding 12 months" means that the standard must have been fully implemented across the entire organization for at least the preceding 12 months to the date of the audit or investigation. The clock does not start until the standard is fully implemented across the entire org.


What evidence is required to be eligible?

The burden of proof rests on the regulated entity. Any empirical technical evidence of implementation may be submitted. This could be screenshots, logs, project progress updates, automated scan results, etc. However, implementation plans do not qualify as evidence of implementation. The organization must be able to prove that at least 12 months preceding the action, the standard was fully implemented across the entire organization, and remained so implemented through the preceding 12 months.


Is this a Safe Harbor program that shields the practice from liability?

No. This is not a safe harbor program and does not change a regulated entity's compliance obligation or liability. This program requires OCR to consider the RSPs implemented by the regulated entity for the preceding 12 months when calculating fines/civil monetary penalties, conducting audits, and establishing corrective action plans (CAPs) and other remedies to address potential violations of the Security Rule.


Where can I learn more?

3 views

Recent Posts

See All
bottom of page