HHS seeks comment by June 6 on recognized security practices as mitigating factor in HIPAA enforcement

Recognized Security Practices

Section 13412 of the HITECH Act requires the HHS Office for Civil Rights (OCR) to take into consideration certain “recognized security practices” of HIPAA covered entities and business associates when determining potential fines, audit results, or other remedies for resolving potential HIPAA Security Rule violations.

“Recognized security practices” are programs and processes that address cybersecurity and that are recognized through various statutory authorities, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Health Industry Cybersecurity Practices identified by HHS pursuant to section 405(d) of the Cybersecurity Act of 2015.

The HITECH Act, as amended in 2021, states that a recognized security practice must be “in place” to be considered as a possible mitigating factor. In the RFI, OCR indicated that it believes that “in place” has the same meaning as “implemented” under the HIPAA Security Rule, and that the practice must thus be fully implemented and actively and consistently in use over the relevant period of time. The RFI seeks comment on how HIPAA-regulated entities are implementing recognized security practices, how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.

The HITECH Act also requires that, when considering a recognized security practice as a possible mitigating factor, OCR determine whether the recognized security practice was in place for a period of “not less than the previous 12 months.” But the Act does not state what action initiates the beginning of the 12-month look back period.

OCR specifically seeks public comment on the following questions:

1. What recognized security practices have regulated entities implemented? If not currently implemented, what recognized security practices do regulated entities plan to implement?
2. What standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act do regulated entities rely on when establishing and implementing recognized security practices?
3. What approaches promulgated under section 405(d) of the Cybersecurity Act of 2015 do regulated entities rely on when establishing and implementing recognized security practices?
4. What other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities do regulated entities rely on when establishing and implementing recognized security practices?
5. What steps do covered entities take to ensure that recognized security practices are “in place”
   1. What steps do covered entities take to ensure that recognized security practices are in use throughout their enterprise?
      1. What constitutes implementation throughout the enterprise (e.g., servers, workstations, mobile devices, medical devices, apps, application programming interfaces (APIs))?
6. What steps do covered entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?
7. Any additional issues or information the Department should consider in developing guidance or a proposed regulation regarding the consideration of recognized security practices.

Civil Money Penalty and Settlement Sharing

The HITECH Act required that HHS establish a methodology under which harmed individuals could receive a percentage of any civil money penalty (CMP) or monetary settlement collected with respect to HIPAA violations.  OCR typically enforces HIPAA by investigating complaints, breaches, or other potential noncompliance. In some cases, such investigations result in a CMP or a settlement including a payment. In the past, such funds were directed to OCR. Under the HITECH Act, HHS was directed to share such funds with affected individuals.

The RFI requests comment on how such distributions should be made. In particular, because the HITECH Act does not define “harm,” OCR is considering “what harms may make an individual eligible to receive such distributions.” OCR is also requesting feedback on possible methodologies for distribution of such funds. The Government Accountability Office (GAO) recommended three models for OCR’s consideration—the individualized determination model, the fixed recovery model, and a hybrid of the first two. OCR has requested feedback on each of these proposed models and made a request for proposals of other distribution models to consider. In the RFI, OCR reiterates that HIPAA does not provide a private right of action to individuals, and the HITECH Act does not require that individuals will be made financially whole through the distribution of this funding. OCR will use the information from public comments to inform the development of future distribution methodology and policies.

Next Steps

Those interested in providing comments will need to submit by June 6, 2022. HHS expects to use the information received in comments to determine what future guidance or rulemaking is needed to implement and help HIPAA-regulated entities understand the new law. The comment process allows affected entities to highlight the security frameworks and practices on which they rely or that are best suited to the health sector to make sure they are considered as “recognized security practices” for the purposes of HIPAA enforcement.

Authored by Paul Otto, Marcy Wilder, Scott Loughlin, Maddy Gitomer, Donald DePass, Fleur Oké, and Jacob Wall.