The past several years have proven difficult for healthcare entities due to increasing cybersecurity threats, breaches and regulatory enforcement. Following these trends, on April 6, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Request for Information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and also seeking public input on sharing funds collected through enforcement with individuals who are harmed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule violations.
OCR is seeking public comments to improve its understanding of how regulated entities are voluntarily implementing recognized security practices to help determine what potential information or clarifications it needs to provide through future rulemaking or guidance. As explained by OCR, “[t]his RFI will enable OCR to consider ways to support the healthcare industry’s implementation of recognized security practices.
With respect to its request for comment on sharing of civil monetary penalties and settlements, OCR explained: [t]he RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.”
Recognized Security Practices
As we previously discussed, effective January 5, 2021, the HITECH Act was amended to require HHS to take into consideration certain recognized security practices (such as those in line with the National Institutes of Standards and Technology (NIST) guidance) of covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates when determining potential fines, audit results, or other remedies for resolving potential violations of the HIPAA security rule pursuant to an investigation, compliance review, or audit. According to HHS, one of the primary goals of this change in law is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.” OCR must now consider the “recognized security practices” that HIPAA covered entities and business associates adequately demonstrate were in place for the previous 12 months.
OCR posed several questions related to recognized security practices including the following:
-
What recognized security practices have regulated entities implemented? If not currently implemented, what recognized security practices do regulated entities plan to implement?
-
What standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act do regulated entities rely on when establishing and implementing recognized security practices?
-
What approaches promulgated under section 405(d) of the Cybersecurity Act of 2015 do regulated entities rely on when establishing and implementing recognized security practices?
-
What other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities do regulated entities rely on when establishing and implementing recognized security practices?
-
What steps do covered entities take to ensure that recognized security practices are “in place”?
-
What steps do covered entities take to ensure that recognized security practices are in use throughout their enterprise?
-
What constitutes implementation throughout the enterprise (e.g., servers, workstations, mobile devices, medical devices, apps, application programming interfaces (APIs))?
-
-
What steps do covered entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?
-
The Department requests comment on any additional issues or information the Department should consider in developing guidance or a proposed regulation regarding the consideration of recognized security practices.
-
Sharing Funds with Individuals Harmed Due to HIPAA Violation
The HITECH Act requires HHS to establish a methodology whereby an affected individual may receive a percentage of a penalty or monetary settlement collected with respect to noncompliance. This effort aligns with OCR’s recent enforcement push around the HIPAA Right of Access. Although HHS may consider certain types of harm when determining the amount of a penalty, harm generally is not defined for the purpose of identifying and quantifying harm to determine an amount to be shared with an individual. Of note, many plaintiffs and courts have struggled with establishing harm resulting from privacy violations or data breach. For this reason, OCR seeks input in the RFI about how to define harm and what bases should be used for deciding which injuries are compensable.
Below are examples of OCR questions related to determining harm for purposes of sharing funds with individuals contained in the RFI:
-
What constitutes compensable harm with respect to violations of the HIPAA rules?
-
Should compensable harm be limited to past harm?
-
Should only economic harm be considered?
-
Should harm be limited to the types of harm identified as aggravating factors in assessing CMPs (physical, financial, reputational, and ability to obtain health care)?
-
Should harm be expanded to include additional types of noneconomic harms such as emotional harm?
Responding to an OCR request for information – like the one recently issued on April 6, 2022 – provides a vehicle for stakeholders to inform OCR of regulatory burdens or unintended consequences of HIPAA rules. Responding to a request for information also permits the responder to potentially shape the direction of future OCR rulemaking or guidance. Comments to the RFI must be submitted on or before June 6, 2022. You may submit electronic comments at https://www.regulations.gov by searching for the Docket ID number HHS-OCR-0945-AA04.