Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The US Department of Health Human Services (HHS) is seeking public comments about the appropriate role of “recognized security practices” in enforcement of the HIPAA Security Rule. Congress, through an amendment to the HITECH Act, is requiring that the agency take into consideration certain “recognized security practices” when determining potential enforcement outcomes for HIPAA-regulated entities subject to audit or investigation for violations of the Security Rule. The Request for Information (RFI) provides an opportunity for stakeholders to help define which security frameworks and practices will be recognized in the context of enforcement of the Security Rule. In addition, the agency is seeking comments on developing a methodology by which it could distribute some of the funds collected through HIPAA enforcement actions to affected individuals. Comments are due by June 6, 2022.
Section 13412 of the HITECH Act requires the HHS Office for Civil Rights (OCR) to take into consideration certain “recognized security practices” of HIPAA covered entities and business associates when determining potential fines, audit results, or other remedies for resolving potential HIPAA Security Rule violations.
“Recognized security practices” are programs and processes that address cybersecurity and that are recognized through various statutory authorities, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Health Industry Cybersecurity Practices identified by HHS pursuant to section 405(d) of the Cybersecurity Act of 2015.
The HITECH Act, as amended in 2021, states that a recognized security practice must be “in place” to be considered as a possible mitigating factor. In the RFI, OCR indicated that it believes that “in place” has the same meaning as “implemented” under the HIPAA Security Rule, and that the practice must thus be fully implemented and actively and consistently in use over the relevant period of time. The RFI seeks comment on how HIPAA-regulated entities are implementing recognized security practices, how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.
The HITECH Act also requires that, when considering a recognized security practice as a possible mitigating factor, OCR determine whether the recognized security practice was in place for a period of “not less than the previous 12 months.” But the Act does not state what action initiates the beginning of the 12-month look back period.
OCR specifically seeks public comment on the following questions:
The HITECH Act required that HHS establish a methodology under which harmed individuals could receive a percentage of any civil money penalty (CMP) or monetary settlement collected with respect to HIPAA violations. OCR typically enforces HIPAA by investigating complaints, breaches, or other potential noncompliance. In some cases, such investigations result in a CMP or a settlement including a payment. In the past, such funds were directed to OCR. Under the HITECH Act, HHS was directed to share such funds with affected individuals.
The RFI requests comment on how such distributions should be made. In particular, because the HITECH Act does not define “harm,” OCR is considering “what harms may make an individual eligible to receive such distributions.” OCR is also requesting feedback on possible methodologies for distribution of such funds. The Government Accountability Office (GAO) recommended three models for OCR’s consideration—the individualized determination model, the fixed recovery model, and a hybrid of the first two. OCR has requested feedback on each of these proposed models and made a request for proposals of other distribution models to consider. In the RFI, OCR reiterates that HIPAA does not provide a private right of action to individuals, and the HITECH Act does not require that individuals will be made financially whole through the distribution of this funding. OCR will use the information from public comments to inform the development of future distribution methodology and policies.
Those interested in providing comments will need to submit by June 6, 2022. HHS expects to use the information received in comments to determine what future guidance or rulemaking is needed to implement and help HIPAA-regulated entities understand the new law. The comment process allows affected entities to highlight the security frameworks and practices on which they rely or that are best suited to the health sector to make sure they are considered as “recognized security practices” for the purposes of HIPAA enforcement.
Authored by Paul Otto, Marcy Wilder, Scott Loughlin, Maddy Gitomer, Donald DePass, Fleur Oké, and Jacob Wall.