June 30, 2022

Volume XII, Number 181

Advertisement
Advertisement

June 29, 2022

Subscribe to Latest Legal News and Analysis

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis

HIPAA Enforcers Seek Public Input on Recognized Security Practices and Sharing Enforcement Recoveries with Affected Individuals

The past several years have proven difficult for healthcare entities due to increasing cybersecurity threatsbreaches and regulatory enforcement. Following these trends, on April 6, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Request for Information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and also seeking public input on sharing funds collected through enforcement with individuals who are harmed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule violations.

OCR is seeking public comments to improve its understanding of how regulated entities are voluntarily implementing recognized security practices to help determine what potential information or clarifications it needs to provide through future rulemaking or guidance. As explained by OCR“[t]his RFI will enable OCR to consider ways to support the healthcare industry’s implementation of recognized security practices.

With respect to its request for comment on sharing of civil monetary penalties and settlements, OCR explained: [t]he RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.”

Recognized Security Practices

As we previously discussed, effective January 5, 2021, the HITECH Act was amended to require HHS to take into consideration certain recognized security practices (such as those in line with the National Institutes of Standards and Technology (NIST) guidance) of covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates when determining potential fines, audit results, or other remedies for resolving potential violations of the HIPAA security rule pursuant to an investigation, compliance review, or audit. According to HHS, one of the primary goals of this change in law is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.” OCR must now consider the “recognized security practices” that HIPAA covered entities and business associates adequately demonstrate were in place for the previous 12 months.

OCR posed several questions related to recognized security practices including the following:

  • What recognized security practices have regulated entities implemented? If not currently implemented, what recognized security practices do regulated entities plan to implement?

  • What standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act do regulated entities rely on when establishing and implementing recognized security practices?

  • What approaches promulgated under section 405(d) of the Cybersecurity Act of 2015 do regulated entities rely on when establishing and implementing recognized security practices?

  • What other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities do regulated entities rely on when establishing and implementing recognized security practices?

  • What steps do covered entities take to ensure that recognized security practices are “in place”?

    • What steps do covered entities take to ensure that recognized security practices are in use throughout their enterprise?

      • What constitutes implementation throughout the enterprise (e.g., servers, workstations, mobile devices, medical devices, apps, application programming interfaces (APIs))?

    • What steps do covered entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?

    • The Department requests comment on any additional issues or information the Department should consider in developing guidance or a proposed regulation regarding the consideration of recognized security practices.

Sharing Funds with Individuals Harmed Due to HIPAA Violation

The HITECH Act requires HHS to establish a methodology whereby an affected individual may receive a percentage of a penalty or monetary settlement collected with respect to noncompliance. This effort aligns with OCR’s recent enforcement push around the HIPAA Right of Access. Although HHS may consider certain types of harm when determining the amount of a penalty, harm generally is not defined for the purpose of identifying and quantifying harm to determine an amount to be shared with an individual. Of note, many plaintiffs and courts have struggled with establishing harm resulting from privacy violations or data breach. For this reason, OCR seeks input in the RFI about how to define harm and what bases should be used for deciding which injuries are compensable.

Below are examples of OCR questions related to determining harm for purposes of sharing funds with individuals contained in the RFI:

  • What constitutes compensable harm with respect to violations of the HIPAA rules?

  • Should compensable harm be limited to past harm?

  • Should only economic harm be considered?

  • Should harm be limited to the types of harm identified as aggravating factors in assessing CMPs (physical, financial, reputational, and ability to obtain health care)?

  • Should harm be expanded to include additional types of noneconomic harms such as emotional harm?

Responding to an OCR request for information – like the one recently issued on April 6, 2022 – provides a vehicle for stakeholders to inform OCR of regulatory burdens or unintended consequences of HIPAA rules. Responding to a request for information also permits the responder to potentially shape the direction of future OCR rulemaking or guidance. Comments to the RFI must be submitted on or before June 6, 2022. You may submit electronic comments at https://www.regulations.gov by searching for the Docket ID number HHS-OCR-0945-AA04.

©2022 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume XII, Number 103
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Elizabeth A. Kastner Member of the Firm Epstein Becker & Green, P.C.
Member of the Firm

Hospitals, hospices, and health plans turn to health care attorney Beth Kastner for advice on contractual arrangements as well as regulatory, operational, and compliance matters. She regularly advises clients on vendor/supply chain relationships, clinically integrated networks, and managed care contracting, including narrow networks, shared saving, and bundled payment models.

Beth also routinely advises clients on compliance with health information privacy laws and health care fraud and abuse laws, with a particular emphasis on structuring...

614-872-2411
Alaap Shah Attorney Healthcare Life Sciences
Member

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

202-861-5320
Advertisement
Advertisement
Advertisement