On January 5, 2021, the HIPAA Safe Harbor Law was enacted as Public Law 116-321. This law requires the U.S. Department of Health and Human Services (HHS) and OCR to consider whether a covered entity or business associate has “recognized security practices” in place when determining fines or taking enforcement action related to the HIPAA Security Rule.
📄 Read the law (Public Law 116-321)
In essence, aligning your organization’s cybersecurity efforts with established frameworks, such as NIST CSF, could protect your bottom line when things go wrong.
What To Except During a HIPAA Audit
During an audit or investigation, OCR may issue a data request asking for evidence that your organization has implemented recognized security practices. Here’s what that request typically involves, as described in the official OCR audit letter:
1. Identify Your Recognized Security Practice
You’ll need to specify which framework your organization follows. OCR accepts documentation aligned with any of the following:
- NIST Standards under Section 2(c)(15) of the NIST Act
- 405(d) Health Industry Cybersecurity Practices (HICP) under the Cybersecurity Act of 2015
- Other regulatory-recognized programs (with proper legal citations)
2. Demonstrate Implementation
OCR wants more than policies on paper. You must provide:
- Policy and procedure documents, including effective dates
- Project plans or rollout documentation with timestamps
- Evidence of actual use (e.g., screenshots, audit logs, reports)
- Detailed explanations of how security practices are applied throughout the organization
- Identification of responsible personnel
3. Workforce Training
Proving that your staff understands and uses these practices is equally important. OCR may ask for:
- Training materials
- Training completion dates
- Documentation of staff roles in supporting recognized security efforts
4. Continuous Updates
The request is “continuing in nature”—OCR expects updates if your implementation status changes during the audit. This includes newly adopted elements, updated frameworks, or revised policies.
Building a Defense Before a Breach
The best time to align with recognized security practices is before you’re audited. Implementing and documenting your cybersecurity strategy in line with frameworks like NIST or 405(d) not only strengthens your defense against threats but also gives you an edge if OCR ever comes knocking.
Action Steps for Healthcare Organizations
- Choose a Recognized Framework: NIST Cybersecurity Framework, HICP 405(d) Practices
- Create and Maintain Documentation: Keep everything from policies to project timelines well-organized.
- Train Your Workforce: Regular and thorough training is critical.
- Keep it Current: Update your practices and records regularly.
- Be Ready to Share: Ensure you can produce all necessary documentation quickly if OCR initiates an inquiry.
Final Thoughts
HIPAA compliance is no longer just about checking boxes. It’s about building a culture of security, supported by verifiable, recognized practices. Aligning your cybersecurity program with these expectations doesn’t just reduce risk—it can also mean the difference between a costly fine and a mitigated resolution.
