Most privacy and security professionals wouldn’t turn to YouTube to learn how to reduce their chances of suffering arguably the worst development of their careers—public and often very pricey enforcement action by the HHS Office for Civil Rights (OCR) against their organization for a real, or alleged, HIPAA violation.
But when the video addresses “recognized security practices” or RSPs—critical components of a new law—that’s exactly what they should do. And HIPAA compliance officials are going to find a few surprises and disappointments, experts say, as they watch the 30-minute recording.[1]
The video comes nearly two years after then-President Donald Trump signed Public Law 116-321, which amends the 2009 HITECH Act to require OCR to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place,” in order to “mitigate fines” and “mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule…between the covered entity or business associate” and the agency.
This appears to mark the first time OCR has issued a video before, or instead of, formal guidance.[2]
Compliance officials at covered entities (CEs) and business associates (BAs) may wish to create a transcript of the video or take copious notes to share with other staff to help bring them up to speed on the agency’s implementation of the law.
The video features just one speaker, Nick Heesters, OCR’s senior advisor for cybersecurity, who gives an overview of the topic in the first 20 minutes and then addresses five questions the agency received in advance of the recording. Slides used in the video are not posted online; OCR made them available to RPP.
