On April 4, 2022, the U.S. Department of Health and Human Services (HHS) released a Request for Information (RFI) seeking input from HIPAA-covered entities and business associates on how the industry understands and is implementing what are defined as “recognized security practices” under the HITECH Act. The Request for Information (RFI) also asks for industry input on how individuals that have been harmed by violations of the HIPAA Rules should be compensated.
Recognized Security Practices
The HITECH Act was amended in 2021 to require HHS to take into consideration “recognized security practices” of covered entities and business associates that were in place for the previous 12 months when determining fines, audit results, or other remedies for resolving potential violations of the HIPAA Security Rule. The HITECH Act does not require covered entities and business associates to implement “recognized security practices” but does require that recognized security practices be consistent with the HIPAA Security Rule. The security practices, to be considered by HHS, must adhere to the following definition of “recognized security practices” under the amended HITECH Act:
- The standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act</a>;
- The approaches promulgated under section 405(d) of the Cybersecurity Act of 2015</a>; or
- Other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.
In the RFI, HHS states it is insufficient for an organization to “merely establish and document” the adoption of the recognized security practices. HHS says, “the entity must also demonstrate that the practices are fully implemented, meaning that the practices are actively and consistently in use by the covered entity or business associate over the relevant period of time,” i.e., the 12-month look back period. Of note, the HITECH Act does not state what action initiates the beginning of the 12-month lookback period.
However, it is unlikely that an entity’s security plan quickly rolled out upon receiving an HHS investigative letter subsequent to a data incident or complaint will meet the required look-back period. Entities should therefore determine if their security practices meet the thresholds in the HITCH Act for “recognized security practices” and if not, swiftly move to bring those security practices into conformance to start the clock ticking on the 12-month look-back period.
In the RFI, HHS specifically asks for commentary on questions including:
- What recognized security practices have regulated entities implemented or do they plan to implement? In particular, what standards, approaches, guidelines, etc. under the NIST Act or Cybersecurity Act do entities rely on?
- What steps do entities take to ensure the recognized security practices are “in place” and used throughout the enterprise?
- What steps do entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?
This RFI is the perfect chance for HIPAA-regulated entities to let HHS know how they are implementing recognized security practices, and what potential information or clarifications HHS should issue. This is an opportunity for regulated entities to identify frameworks they have implemented and why, in particular if the entity uses a framework other than the NIST Act or Cybersecurity Act frameworks identified in the HITECH Act. In particular, if a regulated entity questions if their chosen framework is sufficient HHS may provide commentary on the same in responding to the RFI comments received.
Responses to the RFI should contain a description of the measures entities have in place, along with a brief explanation how such measures fulfill the requirements under the definition provided in the HITECH Act. Entities can also use their response as a chance to define events or actions that they believe should be considered the beginning of the 12-month look back period for their security practices. By providing HHS with a snapshot of how entities are implementing security practices, or plan to implement security practices, entities can help shape interpretation of this piece of the HITECH Act in a manner that is practical to the risks and challenges faced by health care entities.
Methodologies to Compensate Harmed Individuals
HHS is also requesting comments on the types of harms that should be considered in the distribution of civil monetary penalties (CMPs) and monetary settlements to harmed individuals for non-compliance with HIPAA. Currently, harm is not defined. Specifically, HHS would like feedback on questions including:
- What constitutes compensable harm with respect to violations of the HIPAA Rules?
- What type of harm should be considered? E.g., Past harm versus future harm? Economic harm versus emotional harm? Actual harm versus perceived harm? Only harm identified as aggravating factors in assessing CMPs (physical, financial, reputational, and ability to obtain health care)?
- How should harmed individuals be identified? How should they be notified? What if they are deceased? What if they cannot be located? Within what timeframe after a settlement agreement or imposition of a CMP should individuals submit claims to be eligible for disbursement?
- What methodologies should HHS consider for sharing and distributing monies to harmed individuals? Should there be a minimum or maximum amount or percentage? Should there be an appeals process? HHS invites the public to submit alternative methodologies for consideration.
Comments must be submitted on or before June 6, 2022.