It’s been over 25 years since HIPAA became law. During that time, the processes and frameworks that surround cybersecurity and the protection of patient data have changed significantly. Still, healthcare organizations of all sizes often struggle with the ambiguity surrounding HIPAA as the guidelines don’t stipulate how they should be applied within a specific organization’s capabilities, resources, or threats.
The practices outlined in 405(d) HICP bring clarity and alignment where previous guidelines have not, including specific guidance for cybersecurity protection based on the size of an organization, small, medium or large.
Whether you’ve been familiar with 405(d) HICP for some time or are new to the framework, here’s a quick rundown of the most important things you should know:
- It all started with the Cybersecurity Act of 2015. In fact, it’s section 405(d) of this act that called for a more coordinated approach to cybersecurity in the healthcare industry. In 2017, as a result of this Act, Health & Human Services (HHS) convened a task force of 200 information security officers, medical professionals, privacy experts, and industry leaders. It’s this task force that developed consensus-based guidelines, practices, and methodologies to strengthen healthcare against cyber threats. From this work, HHS issued voluntary cybersecurity guidance for healthcare entities known as Health Industry Cybersecurity Practices (HICP).
- 405(d) HICP is a voluntary set of federally recognized standards; adopting and documenting these practices can work in your favor should you find yourself audited by the Office for Civil Rights (OCR). In 2021, a bill named HR 7898 was signed into law as an amendment to the HITECH act and is now known as Public Law 116-321. The law requires HHS to recognize the adoption of cybersecurity best practices, like 405(d) HICP. If an organization can demonstrate that they have had 405(d) HICP in place for no less than 12 months prior to the point of an investigation, it may result in the mitigation of fines and early, favorable regulatory treatment.
- 405(d) HICP is not a safe harbor nor does it provide HIPAA relief. This one is really important because HR 7898 has been referred to by many as “the HIPAA safe harbor act” when in reality it does not provide regulatory relief. In other words, health organizations and their business associates still have to abide by HIPAA, can still be audited for violating HIPAA, and can still face penalties.
- 405(d) HICP does not replace the need for your organization to have established HIPAA policies and procedures, nor does it replace the need for risk analysis. Rather, your risk analysis process can be used to identify and prioritize the rollout of 405(d) HICP controls.
- Industry experts tell us that every OCR inquiry now includes a request for proof of recognized security practices, if adopted by the organization. What’s more, some investors, cyber insurers, and other third parties have begun requiring that healthcare organizations they contract with demonstrate the adoption of recognized security practices.
- Practices and sub-practices outlined in 405(d) HICP are broken out by organizational size – small, medium, and large. Size is determined by IT capacity, cybersecurity investment, size, and complexity; and as organizations grow, they need to reevaluate which size category they fall into. Large organizations also have to account for the practices outlined for medium and large
- Clearwater can help. From resources and education to assessing and documenting your 405(d) HICP progress, we’re ready. Clearwater’s IRM|405(d) HICP™ software module can help you identify, organize, and prioritize your 405(d) HICP controls and simplify the documentation process so you’re ready when you need it. If you’ve had 405(d) HICP practices in place for 12 months or longer, you may be ready for an assessment conducted by our team of experts.
Resources for Getting Started
Regardless of where you are in the process of establishing and documenting 405(d) HICP practices, the right tools and resources can go a long way. Take a look.
Information from HHS:
For informational purposes: Small organization controls are stand alone; large organization controls include the medium and large controls.