OCR Seeks Public Comments on HIPAA/HITECH Security and Enforcement Provisions

On April 6, 2022, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a request for information (RFI) soliciting public comments on certain enforcement-related provisions of the privacy and security framework under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH or HITECH Act). In particular, OCR is requesting feedback on: (1) HIPAA-covered entities’ and their business associates’ “recognized security practices” and (2) the factors the agency should use to identify and pay “harmed individuals” using funds it collects from HIPAA/HITECH enforcement actions. Comments are due June 6, 2022.

OCR noted the “growing number of cybersecurity threats“ involving electronic protected health information (ePHI) as a concern prompting the RFI. Indeed, the RFI comes at a time when healthcare organizations are suffering record numbers of data breaches. According to one recent analysis of HHS data from 2021, the PHI of nearly 50 million individuals in the United States was breached in 2021 – a threefold increase from the prior three years, driven largely by increased hacking incidents in the healthcare sector.

“Recognized Security Practices”

In January 2021, Congress amended the HITECH Act to require OCR, which enforces HIPAA and HITECH, to consider the implementation of “recognized security practices” as a factor that may mitigate the fines and other measures that OCR may impose for a HIPAA/HITECH violation. The legislation defines “recognized security practices” as programs and processes that address cybersecurity and are recognized under various regulatory and statutory authorities, including those developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act and under section 405(d) of the Cybersecurity Act of 2015.

To qualify for such mitigation, a covered entity or business associate must “adequately demonstrate” that it had such security practices “in place” for “not less than the previous 12 months.” In the RFI, OCR explained that it interprets the “in place” requirement as necessitating that a party show “the practices are fully implemented, meaning that the practices are actively and consistently in use by the covered entity or business associate over the relevant period of time.” With respect to the 12-month look-back period, OCR noted that the 2021 legislation is unclear as to what action triggers that clock but refrained from offering its interpretation.

The RFI seeks comment on how covered entities and business associates are implementing recognized security practices, how they plan to show that such practices are in place, and any issues regarding such practices that OCR should clarify in future guidance or rulemaking.

Distribution of HIPAA/HITECH Enforcement Action Funds to “Harmed Individuals”

Additionally, the RFI seeks comments regarding a provision of the HITECH Act that calls for development of a methodology by which “an individual who is harmed” by a HIPAA/HITECH violation may receive a percentage of any civil monetary penalty (CMP) or monetary settlement that OCR collects through its enforcement efforts.

The HITECH Act required OCR to promulgate a regulation establishing the fund-sharing methodology by 2012. The agency’s 10-year delay in fulfilling this mandate is notable not only for its length but also because HIPAA and HITECH otherwise do not provide harmed individuals with a legal cause of action. Creation of the monetary disbursement methodology thus could create whole new incentives for individuals to file complaints of HIPAA/HITECH violations and seek redress.

A threshold step in formulating this methodology is to determine what constitutes a compensable “harm.” Although OCR regulations identify certain categories of harm as mitigating and aggravating factors for determining the amount of a CMP – physical, financial, reputational, and ability to obtain health care – the regulations do not specifically define these harms. Nor do OCR’s regulations require consideration of these harms in administering HITECH’s fund-sharing methodology provision.

To the extent OCR can identify relevant harms within this framework, it then must craft the precise methodology for awarding funds to a harmed individual. The HITECH Act does not specify what this methodology should include, other than it must be a “percentage” of a CMP or monetary settlement that OCR collects and that it must be “based on the recommendations” in a 2010 report published by the US Government Accountability Office (GAO). That report describes three models for developing the fund-sharing methodology:

1. Individualized determination model: Under this model, compensation would be paid based on the extent of harm for which the individual can provide evidence, similar to what is required of a plaintiff in civil litigation.
2. Fixed recovery model: Under this model, an individual who demonstrates harm would be entitled to a fixed amount or an amount prescribed by a specific formula.
3. Hybrid model: This model includes features of both of the other models.

The RFI asks for comments on what harms should make an individual eligible to receive a distribution, relevant factors in establishing the fund-sharing methodology, and the three recovery models from the GAO report.

What’s Next

The comments OCR receives in response to the RFI could prompt the agency to issue future guidance or initiate formal rulemaking regarding the recognized security practices and fund-sharing methodology provisions of the HITECH Act. These actions, in turn, could mark critical developments in how OCR enforces HIPAA and HITECH. Covered entities, their business associates, and other stakeholders wanting to weigh in on OCR’s approach to these issues should make sure to file their comments by June 6, 2022.