On April 6, 2022, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) published a request for information (“RFI”) seeking public comment on implementing certain provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, indicating that a rulemaking or further guidance related to the HITECH Act may be forthcoming.  Specifically, the RFI seeks input as to how covered entities and business associates are voluntarily implementing recognized security practices.  OCR will consider the implementation of such practices when making certain determinations relating to the resolution of potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.  The RFI also seeks input on the process for distributing to harmed individuals a percentage of civil monetary penalties (“CMPs”) or monetary settlements collected pursuant to the HITECH Act.  Although HIPAA does not provide a private right of action, the potential for sharing in monetary penalties or settlements could incentivize individuals to report potential HIPAA violations to OCR.

Recognized Security Practices

In 2021, the HITECH Act was amended to require HHS to consider “whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when resolving potential violations of HIPAA, incentivizing entities subject to HIPAA to improve their cybersecurity programs.

The HITECH Act definition of “recognized security practices” refers to, among other things, the National Institute of Standards and Technology Act (“NIST”) and the Cybersecurity Act of 2015.  The HITECH Act does not require entities subject to HIPAA to implement recognized security practices; nor does the HITECH Act provide criteria to select the recognized security practices, except that these practices must be consistent with the requirements in the HIPAA Security Rule.

The RFI provides some clarity as to how OCR is interpreting the requirements of the HITECH Act amendment.  For example, OCR has taken the position that to “adequately demonstrate[] that . . . recognized security practices [are] in place,” an entity “must also demonstrate that the practices are fully implemented, meaning that the practices are actively and consistently in use . . . over the relevant period of time” of not less than the previous 12 months.

The RFI seeks comment on several questions related to how entities subject to HIPAA understand and are implementing recognized security practices, including:

  • What recognized security practices have regulated entities implemented or do they plan to implement?
  • What steps do regulated entities take to ensure that recognized security practices are actively and consistently in use over a 12-month period?
  • What additional issues or information should OCR consider in developing guidance or proposed regulation regarding the consideration of recognized security practices?

Methodology for Distribution of CMPs or Monetary Settlements

The HITECH Act requires the Secretary of HHS to establish a methodology for the distribution of a percentage of a CMP or monetary settlement amount collected for noncompliance with the HIPAA Rules to an individual harmed by the noncompliance.  While OCR must base determinations of appropriate penalty amounts on the nature and extent of the harm, the statute does not define “harm,” specify an amount to be set aside or distributed to individuals, or establish a methodology for establishing an amount.  The HIPAA Rules identify certain “aggravating factors,” including physical harm, financial harm, reputational harm, and harm to the ability to obtain health care, that OCR may consider when determining the amount of a CMP or proposed settlement amount.  However, the HIPAA Rules do not define these harms; nor do the Rules specify whether these harms make an individual eligible for distributions.

OCR seeks comment on several questions related to defining, quantifying, and compensating harm, including:

  • What constitutes compensable harm with respect to violations of the HIPAA Rules?
  • Should only certain types of harm (e.g., economic) determine eligibility to receive a portion of a CMP or monetary settlement?
  • Should there be a total minimum CMP or settlement amount before HHS sets aside funds for distribution?

According to the RFI, OCR will consider three potential models to develop its methodology for individual distribution:

  • Individualized determination, which is based on the private civil action model and places the burden of proof on the plaintiff to establish the harm suffered by the plaintiff and liability incurred by the defendant;
  • Fixed recovery, in which awards are generally either fixed or calculated by a formula established by law; and
  • Hybrid, which combines elements of both individualized determination and the fixed recovery models.

These recommended models do not address how to identify or define harm; instead, they offer distinct formulations for HHS to consider in developing its own methodology.

OCR seeks comments on several questions related to the potential distribution models, including:

  • What goals should OCR prioritize when selecting a distribution model?
  • Should there be a cap on the total percentage amount that any individual can collect to ensure that all harmed individuals receive a distribution or for any other reason?
  • Are there other distribution models to consider?

OCR will accept comments on these proposals until June 6, 2022.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an…

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an active pro bono practice.