Under the new law, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), when deciding whether to penalize the organization, must consider whether an entity used recognized security practices in the year preceding a violation. If an organization has done so, OCR may mitigate fines, terminate an audit early and favorably, or impose less onerous provisions in a resolution agreement on the organization that violated the Security Rule. The details of what exactly OCR must consider, and how exactly penalties will be mitigated, await rulemaking for eventual enforcement. Details of how OCR has sought to gather information needed for rulemaking are provided below.
HIPAA Security Rule Recognized Security Practices Video: Just One More Question
In April of 2022, OCR issued a public Request for Information (RFI), seeking public comment on how HIPAA covered entities are implementing recognized security practices. The comment period closed on June 6, 2022. A total of 91 public comments were submitted.