As a Halloween treat for HIPAA-covered entities and business associates, on October 31, the Department of Health and Human Services Office for Civil Rights (OCR) released a new video on its YouTube channel, in which senior OCR cybersecurity advisor Nick Heesters addresses recognized security practices, or RSPs. In this video, Heesters answers a handful of questions directed to the OCR in response to OCR’s June 2022 call for input on the implementation of RSPs. While the video should be viewed in its entirety, we discuss here some of the more noteworthy aspects: (1) the OCR’s position on the “voluntary” nature of RSPs, (2) the goal posts around implementation; (3) the importance of robust asset inventory practices, and (4) supporting evidence of RSP implementation.
The statutory root of RSPs is found in the 2021 HITECH Act amendment (the “Amendment”). As covered in a prior blog post, the Amendment creates an opportunity for entities to advocate for their security posture, by demonstrating implementation of RSPs for the