The HHS Office for Civil Rights is seeking comment on HIPAA-covered entities and business associates’ implementation of “good security practices” and payments to “injured persons” from funds the agency raises through to its implementing measures. Stakeholders have until June 6, 2022 to respond.
On April 6, 2022, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued a Request for Information (RFI) seeking public comment on certain provisions related to the enforcement of the privacy and security framework under the Health Act. Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH or HITECH Act). In particular, the OCR requests comments on: (1) the “accepted security practices” of HIPAA-covered entities and their business associates and (2) the factors the agency should use to identify and pay injured individuals” using funds it raises from HIPAA/HITECH Enforcement. Comments are due June 6, 2022.
The OCR noted the “increasing number of cybersecurity threats” involving electronic protected health information (ePHI) as a concern driving the RFI. Indeed, the RFI comes at a time when healthcare organizations are experiencing a record number of data breaches. According to a recent analysis of HHS data from 2021, the PHI of nearly 50 million people in the United States were violated in 2021 – a threefold increase from the previous three years, mainly due to the increase in incidents. of piracy in the health sector.
“Accepted Security Practices”
In January 2021, Congress amended the HITECH Act to require OCR, which enforces HIPAA and HITECH, to consider the implementation of “recognized security practices” as a factor that could mitigate fines and other actions ‘OCR can charge for a HIPAA/HITECH violation. The legislation defines “Accepted Security Practices” as programs and processes that address cybersecurity and are recognized by various regulatory and statutory authorities, including those developed under Section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act and under Section 405(d) of the Cybersecurity Act of 2015.
To qualify for such mitigation, a Covered Business Associate or Entity must “adequately demonstrate” that it has such security practices in place for “at least the preceding 12 months.” In the RFI, the OCR explained that it interprets the “in place” requirement as requiring a party to show that “the practices are fully implemented, meaning that the practices are actively and consistently used by the party.” ‘covered entity or business associate during the relevant period of time.’ Regarding the 12-month look-back period, the OCR noted that the 2021 legislation is unclear as to what action triggers this clock, but has refrained from offering its interpretation.
The RFI invites feedback on how Covered Entities and Business Associates implement accepted security practices, how they plan to demonstrate that these practices are in place, and any issues regarding these practices that the OCR should clarify in future directives or regulations.
Distributing HIPAA/HITECH Enforcement Action Funds to “Injured Persons”
In addition, RFI invites comments regarding a provision of the HITECH Act that calls for the development of a methodology whereby “a person who is harmed” by a HIPAA/HITECH violation can receive a percentage of any penalty. civil pecuniary (CMP) or monetary settlement. that OCR collects through its application efforts.
The HITECH Act required OCR to promulgate regulations establishing the methodology for sharing funds by 2012. The agency’s 10-year delay in fulfilling this mandate is notable not only for its length, but also because that HIPAA and HITECH do not provide injured parties with legal protection. cause of action. The creation of the monetary disbursement methodology could therefore create entirely new incentives for individuals to file HIPAA/HITECH violation complaints and seek redress.
A preliminary step in formulating this methodology is to determine what constitutes compensable “harm”. Although the OCR regulations identify certain categories of harms as mitigating and aggravating factors in determining the amount of a CMP – physical, financial, reputational, and ability to obtain health care – the regulations do not specifically define these harms. Nor does OCR regulation require consideration of such harms in the administration of HITECH’s Funds Sharing Methodology provision.
To the extent that the RCO can identify the relevant harms within this framework, then it must develop the precise methodology for allocating funds to an injured person. The HITECH Act does not specify what this methodology should include, other than that it should be a “percentage” of a CMP or monetary settlement that the OCR collects and that it is to be “based on recommendations” in a 2010 report released by the US government. Office of Accountability (GAO). This report describes three models for developing the fund sharing methodology:
- Individualized determination model: Under this model, compensation would be paid based on the extent of the harm for which the individual can provide evidence, similar to what is required of a plaintiff in civil litigation.
- Fixed recovery model: According to this model, a person who demonstrates prejudice would be entitled to a fixed amount or an amount prescribed by a specific formula.
- Hybrid model: This model includes the features of the other two models.
The RFI seeks comment on the harms that should make an individual eligible to receive a distribution, the relevant factors in establishing the methodology for sharing funds, and the three recovery models from the GAO report.
The feedback OCR receives in response to the RFI may prompt the agency to issue future guidance or initiate formal regulation regarding the accepted security practices and fund-sharing methodology provisions of the HITECH Act. These actions, in turn, could mark critical developments in how OCR applies HIPAA and HITECH. Covered entities, their business associates, and other stakeholders wishing to influence OCR’s approach to these issues should ensure to file their comments by June 6, 2022.