HHS Seeks Input on Critical HIPAA Enforcement ConsiderationsRegulators Examine 'Recognized' Security Practices and How to Divvy Up HIPAA Fines
The Department of Health and Human Services is seeking public input on two significant HIPAA questions: how regulators should consider the "recognized" security practices of organizations when making determinations about potential HIPAA enforcement actions and how to distribute a percentage of HIPAA fines and monetary settlements to individuals harmed by violations.
Some experts say the two regulatory matters are important - but challenging - tasks for HHS' HIPAA enforcement agency, the Office for Civil Rights, to address.
"HIPAA celebrated its 25th birthday in August 2021 and the HITECH Act has been around since 2009," says regulatory attorney Rachel Rose. "Both [RFI] issues are critical for HHS OCR to tackle because there needs to be a strong deterrent for people to comply with HIPAA, the HITECH Act and related laws, especially when cybersecurity threats across all sectors, including healthcare, are at an all-time high."
Privacy attorney Kirk Nahra of the law firm WilmerHale offers a similar assessment. "Both issues are pretty challenging - which is presumably why this is an RFI rather than a proposed rule."
Assessing Recognized Security Practices
In its request for information published Wednesday in the Federal Register, HHS OCR says it is seeking to improve its understanding of how covered entities and business associates are voluntarily implementing "recognized" security practices in order to better inform OCR in its determinations of HIPAA enforcement actions against organizations.
That portion of the RFI addresses an amendment added in January 2021 to the HITECH Act of 2009 (see: Bill Spells Out New Factor to Weigh In Setting HIPAA Fines).
One of the primary goals of Congress in adding the HITECH Act amendment was to incentivize healthcare entities and their business associates to adopt strong cybersecurity practices by encouraging HHS to consider organizations' cybersecurity practices when conducting audits or administering HIPAA fines, the RFI says.
"This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics."
—Lisa Pino, HHS OCR
"The information received in public comments will help OCR determine what potential information or clarifications it needs to provide, through future guidance or rule-making, to help regulated entities understand the application of the new law," the RFI says.
Before taking a HIPAA enforcement action, the amendment to the HITECH Act requires OCR to take into consideration whether a covered entity or business associate has adequately demonstrated that recognized security practices were in place for the prior 12 months.
Among the "recognized" security practices that OCR might consider are National Institute of Standards and Technology Act standards, guidelines, best practices, methodologies, procedures and processes; the approaches under section 405(d) of the Cybersecurity Act of 2015; and other programs and processes that address cybersecurity through regulations under other statutory authorities, the RFI says (see: HHS Launches Repository for Health Sector Cybersecurity Help).
The recognized security practices considered by OCR also must be consistent with HIPAA Security Rule requirements, according to the RFI.
Nahra says that in his legal experience, "OCR always has taken into consideration the actual security practices of the company being investigated." But with the amendment to the HITECH Act and subsequent RFI, he says, "they are looking for input on how they should formally factor these practices into their enforcement."
Nahra says OCR "will also need to integrate this [RFI] review with a broader set of overall enforcement issues stemming from the M.D Anderson case," in which the U.S. Court of Appeals in Louisiana in January 2021 vacated a $4.3 million civil monetary action against the University of Texas MD Anderson Cancer Center in a case involving three HIPAA breaches.
In that ruling, the appeals court was critical of HHS OCR's interpretation of HIPAA requirements and how it sets civil monetary penalties.
Divvying Up HIPAA Enforcement Money
In the RFI, HHS is also seeking public input on issues relating to distribution of a percentage of civil monetary penalties and financial settlements collected by OCR to individuals who have been harmed by HIPAA breaches and other protected health information privacy and security violations. That provision has been called for since 2009 under the HITECH Act.
The issues include how to define compensable individual harm resulting from a violation of the HIPAA Rules and the appropriate distribution of payments to harmed individuals, the RFI says. OCR will use the information received in public comments to inform the development of future distribution methodology and policies.
Three Models to Review
HHS OCR will consider recommendations from the Government Accountability Office about three different models in developing a methodology under which an individual who is harmed by a HIPAA violation may receive a percentage of any fines or monetary settlements collected by OCR.
The RFI notes that the GAO recommends HHS consider three potential models for its methodology in distributing monies to harmed individuals: individualized determination, fixed recovery and hybrid.
The individualized determination model is based on the private civil action model, in which a plaintiff bears the burden of proof with respect to both the harm suffered by the plaintiff, including the nature and extent of the harm, and liability incurred by the defendant, the RFI says.
Under the fixed recovery model, awards are generally either fixed or calculated by a formula established by law, and recovery is based on the prescribed formula, the RFI says.
The hybrid model combines elements of the individualized determination and fixed recovery models. The GAO says that hybrid models may be used "to reflect uncertainty regarding the types of harm that can be demonstrated with evidence," according to the RFI.
A Long Time Coming
HHS OCR is accepting public comment on these regulatory matters until June 6.
"This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics," Lisa Pino, OCR director, says in a statement.
Attorney Rose says that of the two issues OCR is tacking in its RFI, the examination of recognized best practices is easier because of OCR's past experience in HIPAA enforcement actions. She says the distribution of civil monetary penalties or other monies poses a greater challenge.
The challenge is related to a variety of issues, she says, the different types of HIPAA violations that are reported to OCR and the complexity of situations involving individuals who are also taking part in class action lawsuits against breached entities.