On April 4, 2022, the U.S. Department of Health and Human Services (HHS) released a Request for Information (RFI) seeking input from HIPAA-covered entities and business associates on how the industry understands and is implementing what are defined as “recognized security practices” under the HITECH Act. The Request for Information (RFI) also asks for industry input on how individuals that have been harmed by violations of the HIPAA Rules should be compensated.
The HITECH Act was amended in 2021 to require HHS to take into consideration “recognized security practices” of covered entities and business associates that were in place for the previous 12 months when determining fines, audit results, or other remedies for resolving potential violations of the HIPAA Security Rule. The HITECH Act does not require covered entities and business associates to implement “recognized security practices” but does require that recognized security practices be consistent with the HIPAA Security Rule. The security practices, to be considered by HHS, must adhere to the following definition of “recognized security practices” under the amended HITECH Act:
In the RFI, HHS states it is insufficient for an organization to “merely establish and document” the adoption of the recognized security practices. HHS says, “the entity must also demonstrate that the practices are fully implemented, meaning that the practices are actively and consistently in use by the covered entity or business associate over the relevant period of time,” i.e., the 12-month look back period. Of note, the HITECH Act does not state what action initiates the beginning of the 12-month lookback period.
However, it is unlikely that an entity’s security plan quickly rolled out upon receiving an HHS investigative letter subsequent to a data incident or complaint will meet the required look-back period. Entities should therefore determine if their security practices meet the thresholds in the HITCH Act for “recognized security practices” and if not, swiftly move to bring those security practices into conformance to start the clock ticking on the 12-month look-back period.
In the RFI, HHS specifically asks for commentary on questions including:
This RFI is the perfect chance for HIPAA-regulated entities to let HHS know how they are implementing recognized security practices, and what potential information or clarifications HHS should issue. This is an opportunity for regulated entities to identify frameworks they have implemented and why, in particular if the entity uses a framework other than the NIST Act or Cybersecurity Act frameworks identified in the HITECH Act. In particular, if a regulated entity questions if their chosen framework is sufficient HHS may provide commentary on the same in responding to the RFI comments received.
Responses to the RFI should contain a description of the measures entities have in place, along with a brief explanation how such measures fulfill the requirements under the definition provided in the HITECH Act. Entities can also use their response as a chance to define events or actions that they believe should be considered the beginning of the 12-month look back period for their security practices. By providing HHS with a snapshot of how entities are implementing security practices, or plan to implement security practices, entities can help shape interpretation of this piece of the HITECH Act in a manner that is practical to the risks and challenges faced by health care entities.
HHS is also requesting comments on the types of harms that should be considered in the distribution of civil monetary penalties (CMPs) and monetary settlements to harmed individuals for non-compliance with HIPAA. Currently, harm is not defined. Specifically, HHS would like feedback on questions including:
Comments must be submitted on or before June 6, 2022.