Recognized Security Practices, & Sharing of HIPAA Settlements with Harmed Individuals, Feedback sought by OCR

A Request for information (RFI) has been released by the Department of Health and Human Services’ Office for Civil Rights (OCR) in connection with the two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The HITECH Act, which was changed in 2021 by the introduction of the HIPAA Safe Harbor Act, states that the HHS will review the security measures that have been configured by HIPAA entities when calculating financial penalties and other sanctions to settle possible HIPAA breaches uncovered during investigations and audits.

The focus of the HIPAA Safe Harbor Act is to highlight to HIPAA-regulated bodies to put in place the strongest possible cybersecurity measure. The incentive for this is being emphasised as smaller HIPAA breach fines in relation to data breaches and less scrutiny by the HHS on an ongoing basis.

A separate outstanding obligation, in existence since the introduction of the HITECH Act, is for the HHS to invest some of the civil monetary fines (CMPs) and settlement payments with individuals who have been impacted due to the breaches for which the penalties have been sanctioned. The HITECH Act included the obligation for a methodology to be created by the HHS for calculating the correct amounts to be shared, based on the manner and range of the HIPAA breach and the nature and extent of the harm that has been inflicted.

Recently, the new Director of the HHS’ Office for Civil Rights (OCR) – Lisa J. Pino – commented that that these two obligations under the HITECH Act were being considered throughout 2022. Yesterday, OCR released the RFI in the Federal Register asking for public feedback in relation to these two requirements of the HITECH Act.

In particular, OCR requires feedback on what makes up “Recognized Security Practices,” the recognized security measures that are being configured to secure electronic protected health information by HIPAA-compliant bodies, and how those entities think they will properly show that recognized security practices are being followed. OCR would also like to be made aware of any configuration problems that those bodies would like to be addressed by OCR, either through additional rulemaking or guidance, and suggestions on the action that should result in the start of the 12-month look-back period, as that is not made clear in the HIPAA Safe Harbor Act.

One of the chief problems with the legal obligation to share CMPs and settlements with victims is the HITECH Act has no definition of damage. OCR would like comment on the range of “harms” that should be thought of when allocating a percentage of SMPs and settlements, and suggestions on possible ethodologies for sharing and distributing monies to harmed individuals.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

In order to be considered, comments must be submitted to OCR by June 6, 2022.