On April 6, 2022, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) published a request for information (“RFI”) seeking public comment on implementing certain provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, indicating that a rulemaking or further guidance related to the HITECH Act may be forthcoming. Specifically, the RFI seeks input as to how covered entities and business associates are voluntarily implementing recognized security practices. OCR will consider the implementation of such practices when making certain determinations relating to the resolution of potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. The RFI also seeks input on the process for distributing to harmed individuals a percentage of civil monetary penalties (“CMPs”) or monetary settlements collected pursuant to the HITECH Act. Although HIPAA does not provide a private right of action, the potential for sharing in monetary penalties or settlements could incentivize individuals to report potential HIPAA violations to OCR.
Recognized Security Practices
In 2021, the HITECH Act was amended to require HHS to consider “whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when resolving potential violations of HIPAA, incentivizing entities subject to HIPAA to improve their cybersecurity programs.
The HITECH Act definition of “recognized security practices” refers to, among other things, the National Institute of Standards and Technology Act (“NIST”) and the Cybersecurity Act of 2015. The HITECH Act does not require entities subject to HIPAA to implement recognized security practices; nor does the HITECH Act provide criteria to select the recognized security practices, except that these practices must be consistent with the requirements in the HIPAA Security Rule.
The RFI provides some clarity as to how OCR is interpreting the requirements of the HITECH Act amendment. For example, OCR has taken the position that to “adequately demonstrate that . . . recognized security practices [are] in place,” an entity “must also demonstrate that the practices are fully implemented, meaning that the practices are actively and consistently in use . . . over the relevant period of time” of not less than the previous 12 months.
The RFI seeks comment on several questions related to how entities subject to HIPAA understand and are implementing recognized security practices, including:
- What recognized security practices have regulated entities implemented or do they plan to implement?
- What steps do regulated entities take to ensure that recognized security practices are actively and consistently in use over a 12-month period?
- What additional issues or information should OCR consider in developing guidance or proposed regulation regarding the consideration of recognized security practices?
Methodology for Distribution of CMPs or Monetary Settlements
The HITECH Act requires the Secretary of HHS to establish a methodology for the distribution of a percentage of a CMP or monetary settlement amount collected for noncompliance with the HIPAA Rules to an individual harmed by the noncompliance. While OCR must base determinations of appropriate penalty amounts on the nature and extent of the harm, the statute does not define “harm,” specify an amount to be set aside or distributed to individuals, or establish a methodology for establishing an amount. The HIPAA Rules identify certain “aggravating factors,” including physical harm, financial harm, reputational harm, and harm to the ability to obtain health care, that OCR may consider when determining the amount of a CMP or proposed settlement amount. However, the HIPAA Rules do not define these harms; nor do the Rules specify whether these harms make an individual eligible for distributions.
OCR seeks comment on several questions related to defining, quantifying, and compensating harm, including:
- What constitutes compensable harm with respect to violations of the HIPAA Rules?
- Should only certain types of harm (e.g., economic) determine eligibility to receive a portion of a CMP or monetary settlement?
- Should there be a total minimum CMP or settlement amount before HHS sets aside funds for distribution?
According to the RFI, OCR will consider three potential models to develop its methodology for individual distribution:
- Individualized determination, which is based on the private civil action model and places the burden of proof on the plaintiff to establish the harm suffered by the plaintiff and liability incurred by the defendant;
- Fixed recovery, in which awards are generally either fixed or calculated by a formula established by law; and
- Hybrid, which combines elements of both individualized determination and the fixed recovery models.
These recommended models do not address how to identify or define harm; instead, they offer distinct formulations for HHS to consider in developing its own methodology.
OCR seeks comments on several questions related to the potential distribution models, including:
- What goals should OCR prioritize when selecting a distribution model?
- Should there be a cap on the total percentage amount that any individual can collect to ensure that all harmed individuals receive a distribution or for any other reason?
- Are there other distribution models to consider?
OCR will accept comments on these proposals until June 6, 2022.