OCR RFI: Have You Implemented Your Recognized Security Practices?
Wednesday, April 13, 2022
OCR Requests Feedback of CMPs under HITECH Act and HIPAA Security
Print Mail Download i

The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released a Request for Information (RFI) to obtain industry feedback and inform potential future rulemaking regarding information security practices and civil money penalties (CMPs) under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the HIPAA Security Rule. OCR is seeking input on how HIPAA covered entities and business associates are operationalizing “recognized security practices” as defined by Public Law 116-321. It is also requesting commentary on the methodologies used to disperse CMPs to individuals harmed by violations of certain privacy or security provisions of the HITECH Act or the Social Security Act, which we will cover in a separate post.

Definition of Recognized Security Practices

“Recognized security practices” are defined by Public Law 116-321 to mean:

  • Standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act;

  • The approaches promulgated under section 405(d) of the Cybersecurity Act of 2015; and

  • Other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.

Section 2(c)(15) of the NIST Act and Section 405(d) of the Cybersecurity Act of 2015 are not prescriptive with respect to how entities implement specific security standards. Section 2(c)(15) of the NIST Act allowed the NIST Director to develop the NIST Cybersecurity Framework (CSF) version 1.0 in 2014, which was later updated as version 1.1 in 2018. For entities that have adopted the NIST CSF as part of its recognized security practice implementation, NIST released its own RFI in February 2022, seeking industry commentary on updates to the CSF since the last update had occurred in 2018.  Additionally, HHS launched a website in December 2021 that would serve as a central resource for the HHS 405(d) Aligning Health Care Industry Security Approaches Program.

Requirements for Covered Entities and Business Associates

Covered entities and business associates are not statutorily required to implement recognized security practices, but their practices must still be consistent with the HIPAA Security Rule, which, among other requirements, mandates that these entities maintain “reasonable and appropriate” administrative, technical, and physical safeguards for protecting electronic protected health information.

Effective January 5, 2021, Public Law 116-321 amended Part 1 of subtitle D of the HITECH Act by adding Section 13412 and directed the Secretary of HHS to take into account whether covered entities and business associates have “adequately demonstrated” that they have recognized security practices in place for at least the previous 12 months. The Secretary’s consideration of recognized security practices for the prior 12 months also takes into account whether the entity had fully implemented these practices, as opposed to merely initially adopting and documenting the existence of the practices.

Impact on HHS’ Determination of Fines and Penalties

Covered entities and business associates have significant reason to implement recognized security practices across their respective enterprises because the Secretary can account for which practices were in place when determining potential fines, penalties, and other remedies. Specifically, such implementation may reduce penalties and corrective action obligations in the event of Privacy and/or Security Rule violations, including: (i) mitigating fines under section 1176 of the Social Security Act; (ii) securing early, favorable terminations of OCR Privacy and Security Rule audits; and (iii) reducing covered entities or business associates’ obligations in settlement agreements with HHS.

OCR communicated that it understood that stakeholders may need additional information or clarification around OCR’s implementation of Public Law 116-321. In an effort to inform potential future guidance or rulemaking in connection with the law, OCR queried these entities on areas such as how they have implemented recognized security practices, which standards or guidelines they had relied upon, or how they have put these practices into effect across their organizations.

The information that OCR receives in response to this RFI will help shape its expectations around covered entity and business associate use of recognized security practices. As such, covered entities and business associates should monitor RFI responses, OCR feedback and commentary, as well as any resulting regulatory developments to ensure that their security practices are aligned with what OCR perceives to be the standard across the industry.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Current Legal Analysis

More from Mintz

DOJ Releases COVID-19 Fraud Enforcement Task Force Report Touting Its Successes and Urging Lawmakers to Enact New Legislation
by: Jane Haviland , Abdie Santiago
SEC’s Enforcement Authority Over Crypto Asset Transactions Upheld (Again) in Case Against Coinbase
by: Cory S. Flashner , Steve Ganis
Canada’s 2024 Federal Budget: The Time Is Now ... to Lock in Lower Tax Rates
by: Katy Pitch
American Privacy Rights Act – Another Shot at a Comprehensive Federal Privacy Law
by: Cynthia J. Larose , Christopher J. Buontempo
Tony Bennett May Have Left His Heart in San Francisco but the City's Appeal of Its NPDES Permit is on its Way to the United States Supreme Court.
by: Jeffrey R. Porter
Navigating Health Tech: Regulations for AI/ML in Medical Devices and Software [Video]
by: Benjamin M. Zegarelli , Pat G. Ouellette
Supreme Court Narrows the Reach of Omission Liability Claims Under Section 10(b) of the Exchange Act
by: Douglas P. Baumstein , Jason C. Vigna
Office of the Level Playing Field
by: Jennifer B. Rubin
The Sun is About to Set on Temporary CCPA/CPRA Exemptions: Employers Get Ready
by: Cynthia J. Larose
New Jersey Adopts a Comprehensive Data Privacy Law
by: Cynthia J. Larose , Jon Taylor

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins