Recognized Security Best Practices – 405 (d) Audit

  • Deann Tucker, MHA, RHIA, CHPS, CHPC, CCS

    Deann Tucker, MHA, RHIA, CHPS, CHPC, CCS

    Senior Manager


On January 5, 2021, President Trump signed into law H.R. 7898, which amends the Health Information Technology for Economic and Clinical Health (HITECH) Act, requiring the secretary of the US Department of Health and Human Services (HHS) to consider certain recognized security practices when making determinations relating to fines and corrective action plans.

If you report a significant security incident to HHS, the initial information request you can expect will likely ask for documentation of your adopted recognized security best practices using the following language.

“If your organization has implemented ‘recognized security practices’ that you wish OCR to consider as a mitigating factor in the resolution of a potential violation of the HIPAA Security Rule with an agreement, or in the determination of a proposed civil money penalty, please provide documentation demonstrating the implementation of such ‘recognized security practices.’”

At Coker Group, we specialize in HIPAA compliance. Our team can help you document your implementation of recognized security best practices effectively. We have a proven approach that combines documentation review and subject matter expert interviews, ensuring your organization is fully prepared to respond to a request for information from OCR.


Did you know Security Risk Analyses and 405 (d) Audits can be very helpful tools when considering a merger or acquisition? They help identify good (or bad) security practices and vulnerabilities!


We will utilize the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) guide to help identify and document your implemented best practices.


Top Ten (10) Best Practices for Managing Threats and Protecting Patients

  1. Email Protection Systems
  2. Endpoint Protection Systems
  3. Access Management
  4. Data Protection and Loss Prevention
  5. Asset Management
  6. Network Management
  7. Vulnerability Management
  8. Incident Response
  9. Medical Device Security
  10. Cybersecurity Oversight and Governance


If you’re a healthcare executive looking to safeguard your organization’s reputation and financial stability, reach out to us today. Let’s discuss how we can document your organization’s security best practices.


Request a Strategy Call

Questions? Ask an expert!

    Contact us today for more information about our healthcare consulting services and learn how we can help your organization.

    Contact Us