HIPAA Enforcers Seek Public Input on Recognized Security Practices and Sharing Enforcement Recoveries with Affected Individuals
Wednesday, April 13, 2022
Department of Health and Human Services Seeks Public Commentary on HITECH Act and HIPAA Rule Violations
Print Mail Download i

The past several years have proven difficult for healthcare entities due to increasing cybersecurity threatsbreaches and regulatory enforcement. Following these trends, on April 6, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Request for Information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and also seeking public input on sharing funds collected through enforcement with individuals who are harmed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule violations.

OCR is seeking public comments to improve its understanding of how regulated entities are voluntarily implementing recognized security practices to help determine what potential information or clarifications it needs to provide through future rulemaking or guidance. As explained by OCR“[t]his RFI will enable OCR to consider ways to support the healthcare industry’s implementation of recognized security practices.

With respect to its request for comment on sharing of civil monetary penalties and settlements, OCR explained: [t]he RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.”

Recognized Security Practices

As we previously discussed, effective January 5, 2021, the HITECH Act was amended to require HHS to take into consideration certain recognized security practices (such as those in line with the National Institutes of Standards and Technology (NIST) guidance) of covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates when determining potential fines, audit results, or other remedies for resolving potential violations of the HIPAA security rule pursuant to an investigation, compliance review, or audit. According to HHS, one of the primary goals of this change in law is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.” OCR must now consider the “recognized security practices” that HIPAA covered entities and business associates adequately demonstrate were in place for the previous 12 months.

OCR posed several questions related to recognized security practices including the following:

  • What recognized security practices have regulated entities implemented? If not currently implemented, what recognized security practices do regulated entities plan to implement?

  • What standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act do regulated entities rely on when establishing and implementing recognized security practices?

  • What approaches promulgated under section 405(d) of the Cybersecurity Act of 2015 do regulated entities rely on when establishing and implementing recognized security practices?

  • What other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities do regulated entities rely on when establishing and implementing recognized security practices?

  • What steps do covered entities take to ensure that recognized security practices are “in place”?

    • What steps do covered entities take to ensure that recognized security practices are in use throughout their enterprise?

      • What constitutes implementation throughout the enterprise (e.g., servers, workstations, mobile devices, medical devices, apps, application programming interfaces (APIs))?

    • What steps do covered entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?

    • The Department requests comment on any additional issues or information the Department should consider in developing guidance or a proposed regulation regarding the consideration of recognized security practices.

Sharing Funds with Individuals Harmed Due to HIPAA Violation

The HITECH Act requires HHS to establish a methodology whereby an affected individual may receive a percentage of a penalty or monetary settlement collected with respect to noncompliance. This effort aligns with OCR’s recent enforcement push around the HIPAA Right of Access. Although HHS may consider certain types of harm when determining the amount of a penalty, harm generally is not defined for the purpose of identifying and quantifying harm to determine an amount to be shared with an individual. Of note, many plaintiffs and courts have struggled with establishing harm resulting from privacy violations or data breach. For this reason, OCR seeks input in the RFI about how to define harm and what bases should be used for deciding which injuries are compensable.

Below are examples of OCR questions related to determining harm for purposes of sharing funds with individuals contained in the RFI:

  • What constitutes compensable harm with respect to violations of the HIPAA rules?

  • Should compensable harm be limited to past harm?

  • Should only economic harm be considered?

  • Should harm be limited to the types of harm identified as aggravating factors in assessing CMPs (physical, financial, reputational, and ability to obtain health care)?

  • Should harm be expanded to include additional types of noneconomic harms such as emotional harm?

Responding to an OCR request for information – like the one recently issued on April 6, 2022 – provides a vehicle for stakeholders to inform OCR of regulatory burdens or unintended consequences of HIPAA rules. Responding to a request for information also permits the responder to potentially shape the direction of future OCR rulemaking or guidance. Comments to the RFI must be submitted on or before June 6, 2022. You may submit electronic comments at https://www.regulations.gov by searching for the Docket ID number HHS-OCR-0945-AA04.

©2024 Epstein Becker & Green, P.C. All rights reserved.

Current Legal Analysis

More from Epstein Becker & Green, P.C.

EEOC Final Rule Implementing the Pregnant Workers Fairness Act
by: Jennifer Stefanick Barna , Marguerite (Maggie) McGowan Stringer
Interested in Opening a Medical Spa? Here’s What You Need to Know
by: John W. Eriksen , Nivedita B. Patel
Five Commissioners and a Vote on Noncompetes to Come
by: E. John Steren , Patricia M. Wagner
U.S. Judicial Conference Aims to Curb "Judge Shopping": New Guidance Promoting Random Civil Case Assignments
by: Lori A. Medley , Scarlett L. Freeman
FTC Vote on Rule to Ban Non-Competes Scheduled for April 23rd
by: Mark L. Daniels
Insignificant Harm Not So Insignificant in Proving Title VII Transfer Violation - SCOTUS Today
by: Stuart M. Gerson
Maryland Expected to Expand Pay Transparency Requirements in Fall 2024
by: Ann Knuckles Mahoney , Tammy Tran
Employment Law This Week Episode 342 - Spilling Secrets: Navigating Physician Non-Compete Litigation [Video, Podcast]
by: Jill K. Bigler , Daniel L. Fahey
Today’s Argument Was More Consequential Than Issued Opinions - SCOTUS Today
by: Stuart M. Gerson
Supreme Court Underscores Limited Applicability of Rule 10b-5(b) Omissions Claims
by: Daniel D. Edelman

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins