What is HHS 405(d) HICP?

HHS 405(d) HICP (Health Industry Cybersecurity Practices) is a voluntary cybersecurity framework published by the U.S. Department of Health and Human Services and the Health Sector Coordinating Council. The framework was created under Section 405(d) of the 2015 Cybersecurity Act and published in 2018, with major updates in 2023. It identifies the top cybersecurity threats facing healthcare organizations and provides recommended practices to mitigate them. The framework explicitly names email phishing attacks as Threat Vector #1, making phishing simulation and awareness training a load-bearing recommended practice.

How is HHS 405(d) different from HIPAA?

HIPAA is a federal regulation enforced by HHS OCR with mandatory compliance requirements and enforcement-action authority. HHS 405(d) HICP is a voluntary framework published by HHS that recommends specific cybersecurity practices but is not enforceable on its own. The 2021 HITECH Amendment (Public Law 116-321) directs HHS to consider an organization's adoption of HHS-recognized cybersecurity practices when determining HIPAA enforcement actions, audits and penalties. In effect, 405(d) HICP adoption can produce enforcement-discount alignment when HIPAA enforcement events occur - though the regulatory text is HIPAA, the demonstrated voluntary practices factor into OCR's response calculus.

What does 405(d) HICP say about phishing specifically?

Phishing is named as Threat Vector #1 in the 405(d) HICP framework - the most prevalent and high-impact threat to healthcare organizations. The recommended Practices include: continuous email-based phishing simulation; awareness training for all personnel handling EHR or PHI; technical controls (email gateway filtering, MFA on remote access, DMARC enforcement); and incident response procedures specific to phishing-driven account compromise. The Practices differ in scope between HICP Volume 1 (Small Health Care Organizations - typically <50 employees) and Volume 2 (Medium and Large), but both volumes treat phishing simulation as core.

Does adopting 405(d) HICP reduce HIPAA enforcement penalties?

Effectively yes, when documented. The HITECH Amendment of 2021 directs HHS OCR to consider whether an organization has adequately demonstrated 'recognized security practices' for the prior 12 months when determining penalties, audit posture, and remediation requirements. HHS-recognized practices include HHS 405(d) HICP and the NIST Cybersecurity Framework. Organizations that document HICP adoption (including phishing simulation evidence) experience materially better OCR enforcement outcomes than those without documented practices. The discount is not automatic - it requires documented evidence of practice adoption over the assessment period.

What's the difference between HICP Volume 1 and Volume 2?

Volume 1 (Cybersecurity Practices for Small Health Care Organizations) targets organizations with limited security resources - typically fewer than 50 employees, single-location practices, smaller specialty clinics. Recommended practices are simplified and budget-aware. Volume 2 (Cybersecurity Practices for Medium and Large Health Care Organizations) targets multi-location practices, hospitals, regional health systems, and large managed-care organizations with dedicated security staff. Practices are more rigorous and assume operational maturity. For phishing programs specifically: Volume 1 = annual training with quarterly testing minimum; Volume 2 = continuous program with auto-assigned remediation plus role-based content for privileged users.

How does 405(d) HICP relate to HITRUST CSF?

HITRUST CSF v11 explicitly maps to HHS 405(d) HICP - the HICP recommended practices appear as control inheritances in the CSF. Healthcare organizations pursuing HITRUST r2 certification substantively satisfy HICP recommendations as a byproduct of HITRUST adoption. The reverse is not always true - HICP adoption alone does not produce HITRUST certification. The relationship: HICP is the public voluntary framework; HITRUST is the private certification framework that incorporates HICP plus additional control sources. Most healthcare organizations targeting both work HITRUST as the primary effort and document HICP adoption as a byproduct.

HHS 405(d) HICP Phishing Training: Voluntary Healthcare Cybersecurity Practices (2026)

Q: Does adopting 405(d) HICP reduce HIPAA enforcement penalties?

Effectively yes, when documented. The HITECH Amendment of 2021 directs HHS OCR to consider whether an organization has adequately demonstrated 'recognized security practices' for the prior 12 months when determining penalties, audit posture, and remediation requirements. HHS-recognized practices include HHS 405(d) HICP and the NIST Cybersecurity Framework. Organizations that document HICP adoption (including phishing simulation evidence) experience materially better OCR enforcement outcomes than those without documented practices. The discount is not automatic - it requires documented evidence of practice adoption over the assessment period.

Q: What's the difference between HICP Volume 1 and Volume 2?

Volume 1 (Cybersecurity Practices for Small Health Care Organizations) targets organizations with limited security resources - typically fewer than 50 employees, single-location practices, smaller specialty clinics. Recommended practices are simplified and budget-aware. Volume 2 (Cybersecurity Practices for Medium and Large Health Care Organizations) targets multi-location practices, hospitals, regional health systems, and large managed-care organizations with dedicated security staff. Practices are more rigorous and assume operational maturity. For phishing programs specifically: Volume 1 = annual training with quarterly testing minimum; Volume 2 = continuous program with auto-assigned remediation plus role-based content for privileged users.

Q: How does 405(d) HICP relate to HITRUST CSF?

HITRUST CSF v11 explicitly maps to HHS 405(d) HICP - the HICP recommended practices appear as control inheritances in the CSF. Healthcare organizations pursuing HITRUST r2 certification substantively satisfy HICP recommendations as a byproduct of HITRUST adoption. The reverse is not always true - HICP adoption alone does not produce HITRUST certification. The relationship: HICP is the public voluntary framework; HITRUST is the private certification framework that incorporates HICP plus additional control sources. Most healthcare organizations targeting both work HITRUST as the primary effort and document HICP adoption as a byproduct.

HHS 405(d) HICP Phishing Training: Voluntary Healthcare Cybersecurity Practices (2026)

By The Bait & Phish Team
Compliance, HHS 405(d), HICP, Healthcare

HHS 405(d) HICP is a voluntary cybersecurity framework but it has a quietly important enforcement effect: documented HICP adoption can produce HIPAA enforcement-discount alignment when OCR comes calling after a breach. The 2021 HITECH Amendment directs OCR to consider an organization's adoption of "recognized security practices" - and HHS 405(d) HICP is one of the recognized practices specifically named.

This post covers what 405(d) HICP actually says, how it differs from HIPAA mandatory compliance, why phishing is named as Threat Vector #1, the practical difference between HICP Volume 1 (small health care organizations) and Volume 2 (medium and large), and how to document adoption such that the documentation produces enforcement-discount alignment when needed.

What HHS 405(d) HICP actually is

The framework was published in 2018 under Section 405(d) of the 2015 Cybersecurity Act, with major updates in 2023. The publishing entities are HHS itself and the Health Sector Coordinating Council. HICP identifies the top cybersecurity threats facing healthcare organizations and provides recommended practices to mitigate them.

Key facts:

Voluntary. No enforcement authority on its own - cannot be cited as a violation directly
Recognized. Named explicitly under the HITECH Amendment as a recognized security practices framework
Two volumes. Volume 1 for Small Health Care Organizations; Volume 2 for Medium and Large
Threat-vector-driven. Organizes practices by the threat they mitigate, not by control category
Phishing first. Email phishing attacks are Threat Vector #1 - the most prevalent and high-impact threat

The 5 threat vectors named in HICP

#	Threat vector	Practice families
1	Email phishing attack	Email controls, awareness training, phishing simulation, MFA, DMARC
2	Ransomware attack	Backup integrity, EDR, segmentation, incident response
3	Loss or theft of equipment or data	Device encryption, asset management, data loss prevention
4	Insider, accidental or intentional data loss	Access management, audit logging, awareness training
5	Attacks against connected medical devices	Network segmentation, vendor management, device-specific controls

Phishing being Threat Vector #1 is operational, not just symbolic. The framework's practice recommendations devote the most detailed treatment to phishing-related controls.

How HICP differs from HIPAA

The relationship is layered:

HIPAA is the federal regulation. Mandatory. Enforced by OCR with civil money penalties up to $2.13M per violation category per year (adjusted annually).
HHS 405(d) HICP is the voluntary framework. Cannot be cited as a violation directly. But adoption produces enforcement-discount alignment under HITECH.
HITECH 2021 Amendment (Public Law 116-321) directs OCR to consider whether an organization has demonstrated "recognized security practices" for the prior 12 months when determining HIPAA enforcement actions. HHS 405(d) HICP and NIST CSF are explicitly named as recognized practices.

Effective enforcement reality: organizations with documented HICP adoption experience materially better OCR enforcement outcomes when breach events occur. The discount is not automatic - it requires documented evidence of practice adoption over the assessment period - but the evidence is exactly what a well-run phishing simulation program produces.

HICP Volume 1 vs Volume 2 for phishing

Aspect	Volume 1 (Small)	Volume 2 (Medium and Large)
Target organization	<50 employees, single-location, smaller specialty clinics	Multi-location practices, hospitals, regional health systems
Training cadence	Annual + quarterly phishing tests minimum	Continuous (monthly) with auto-assigned remediation
Role-based	Recommended for privileged users	Required for privileged users + executives
Multi-channel	Email-focused; SMS optional	Email + SMS + voice
Reporting	Annual summary	Quarterly trend with threshold-exceedance documentation

How HICP relates to HITRUST and HIPAA

vs HIPAA - HIPAA is mandatory; HICP is voluntary; HICP adoption produces HIPAA enforcement-discount alignment under HITECH
vs HITRUST CSF - HITRUST CSF v11 explicitly maps to HICP; HITRUST r2 certification substantively satisfies HICP as a byproduct
vs healthcare phishing simulation deep-dive - the operational practice context for HICP threats translates directly to working program design

Most healthcare organizations end up working with: HIPAA as the regulatory floor; HICP as the recognized-practices documentation; HITRUST as the certification target if procurement requires it. The three layers reinforce each other.

Documenting HICP adoption for the OCR discount

The HITECH Amendment requires demonstration of recognized-practice adoption for at least the prior 12 months for the discount factor to apply. Practical documentation pattern:

Written policy referencing HICP recommended practices explicitly (not just HIPAA Security Rule sections). Senior management approval with version history.
12+ months of operational evidence - phishing simulation campaign records, training delivery records, threshold-exceedance documentation. Operational over the period, not assembled before an OCR event.
Practice-mapped evidence package indexed by HICP practice number, separate from HIPAA-section-mapped evidence. When OCR's recognized-practices factor evaluation runs, HICP-mapped evidence is what's evaluated.

Programs that produce HIPAA-only-mapped evidence may satisfy HIPAA but miss the discount-alignment opportunity. The dedicated HICP evidence package matters.

Common gaps in HICP adoption claims

Policy references HIPAA but not HICP - 12-month adoption claim weak
Annual training only - inadequate for Volume 2 organizations
No threshold-exceedance documentation - Practice expects program response
Email-only program - Volume 2 expects multi-channel
HIPAA-mapped evidence package only - HICP-specific mapping missing
Documentation assembled in the weeks before an OCR event - operational maturity claim invalid

Where Bait & Phish fits

Bait & Phish supports both HICP Volume 1 (small healthcare) and Volume 2 (medium and large) program profiles: continuous monthly phishing simulation across email, SMS and voice; auto-assigned remediation training; quarterly trend reports exportable for HIPAA Security Rule audits + HICP-mapped evidence packages; per-user completion records with timestamps. Start a 25-user free trial to validate platform fit, or talk to us about an HICP-aligned program design walkthrough mapped to your applicable Volume.

This post is informational and does not constitute compliance, legal, or enforcement-action advice. Specific HIPAA enforcement responses, HITECH Amendment interpretation and HICP adoption documentation are organization-specific - consult your compliance counsel for tailored guidance.

See also: HIPAA Security Awareness Training for the mandatory regulatory layer, HITRUST CSF for the certification layer that incorporates HICP, healthcare vertical phishing simulation for the operational deep-dive, and Compliance Comparison hub for cross-framework evidence overlap.

Related compliance guides

09may