June 29, 2022

Volume XII, Number 180

Advertisement
Advertisement

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis

Department of Health and Human Services Issues Request for Information on Cybersecurity Standards

The Department of Health and Human Services (“HHS”) has issued a formal request for information from the public about how regulated entities are implementing industry recognized security practices. The request for information represents a chance for the private sector to contribute to HHS regulation. Interested parties have until June 6, 2022 to submit comments.

HHS seeks this information to be better informed when making determinations regarding fines, audits, and remedies after a potential violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. The request for information was issued by HHS’s Office for Civil Rights (“OCR”), which enforces the privacy and security rules for health providers and insurers that hold health data.

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act requires that HHS consider industry recognized security practices during enforcement, and does not require nor prohibit rulemaking based on the same. The HITECH Act defines “recognized security practices” as (i) the standards found in section 2(c)(15) of the National Institute of Standards and Technology (“NIST”) Act, (ii) the approaches found in section 405(d) of the Cybersecurity Act of 2015, and (iii) “other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities”. OCR seeks information in order to improve guidelines about these standards.

Uncorrected violations under the HITECH Act can carry a minimum of $50,000 per violation in civil penalties. Enforcement actions are initiated by OCR through investigating complaints alleging violations of HIPAA Rules, as well as compliance reviews conducted by OCR following a breach report. Covered entities are required to submit breach reports after cybersecurity incidents under certain circumstances.

The request for information, found here, contains specific prompts on the topic.

© 2022 Proskauer Rose LLP. National Law Review, Volume XII, Number 126
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Ryan P. Blaney Healthcare and Cybersecurity Attorney Proskauer Washington DC
Partner

Ryan Blaney is a partner in Proskauer’s Health Care and Privacy & Cybersecurity Groups.

Ryan’s practice focuses on regulatory compliance, enforcement, litigation and transactions in the areas of data privacy, cybersecurity, health care, and emerging technologies. He advises private equity, asset managers, health care, life sciences, retail and technology clients on privacy and cybersecurity compliance, cybersecurity incidents and government investigations, including acting as lead counsel in defending clients in regulatory investigations by...

202-416-6815
Associate

Vincent Tennant is an associate in the Privacy & Cybersecurity and Health Care Groups.

Vince’s practice focuses on data privacy and cybersecurity issues in the context of regulatory compliance, enforcement, litigation and transactions. He advises private equity, asset managers, health care, life sciences, retail and technology clients on privacy and cybersecurity compliance, cyber risk management in critical transactions and cybersecurity incident response.   

Vince counsels clients on federal, state, and...

212-969-3504
Advertisement
Advertisement
Advertisement