The HHS Office for Civil Rights (OCR) is producing a pre-recorded video presentation for HIPAA covered entities and business associates (regulated entities) on “recognized security practices,” as set forth in Public Law 116-321 (Section 13412 of the Health Information Technology for Economic and Clinical Health Act (HITECH). The statute requires OCR to take into consideration in certain Security Rule enforcement and audit activities whether a regulated entity has adequately demonstrated that recognized security practices were “in place” for the prior 12 months. This presentation is intended to educate regulated entities on the categories of recognized security practices and how entities may demonstrate implementation. The video will be available this summer, and an announcement is forthcoming.

In advance of the video, OCR welcomes questions that could be addressed during this presentation. If you have questions about recognized security practices for the presentation, please send them to [email protected] no later than June 17, 2022.


  • Nicholas Heesters, Senior Advisor for Cybersecurity, OCR

Topics include:

  • The 2021 HITECH Amendment regarding recognized security practices
  • How regulated entities can adequately demonstrate that recognized security practices are in place
  • How OCR is requesting evidence of recognized security practices
  • Resources for information about recognized security practices
  • OCR’s Request for Information (RFI) on recognized security practices

Please stay tuned for a separate announcement with the details of how to view the presentation.