OCR Researching How Covered Entities Implement Security Practices
OCR recently released a request for information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the HITECH Act. It also is seeking public input on sharing funds collected through enforcement with individuals who are harmed via HIPAA violations.
Because of the Jan. 5, 2021, amendment to the HITECH Act, HHS is required to consider certain recognized security practices of covered entities and business associates when determining whether to impose penalties for violation of HIPAA, says Layna Cook Rush, CIPP/US, CIPP/C, shareholder with Baker Donelson in Baton Rouge, LA.
While covered entities and business associates are not required to implement recognized security practices, demonstrating such practices were in place for 12 months before an incident will be considered as a mitigating factor in the analysis of a HIPAA violation penalty.
“The recent RFI is an opportunity for covered entities to have a voice in how recognized security practices are determined and reviewed by OCR in the wake of a HIPAA breach,” Rush says. “HHS specifically stated that it is seeking input on additional information or clarifications regulated entities need from OCR regarding implementation of the HITECH amendment.”
OCR is requesting information on two issues. First, it appears OCR is seeking to better understand how covered entities are determining and implementing recognized security practices, Rush says. Since the HITECH amendment, when conducting a HIPAA breach investigation, OCR routinely inquires whether the regulated entity uses recognized security practices. Information shared by covered entities on the recognized security practices may be used to help OCR assess whether entity under investigation uses reasonable security practices, Rush says.
Second, the amendments to HITECH require HHS to establish a methodology under which individuals harmed by a potential HIPAA violation can receive a percentage of any civil monetary penalty or monetary settlement collected for the offense.
“OCR is seeking input from all stakeholders to assist it in developing regulations or guidance that will dictate when a portion of a penalty or settlement amount will be shared with victims, and the methodology for determining the amounts distributed,” Rush says.
After the comment period, HHS also may issue regulations or guidance on implementing and documenting recognized security practices that are a mitigating factor when a covered entity has experienced a breach.
Upon the issuance of any new regulations or guidance, covered entities should be prepared to re-evaluate their security practices and determine whether any adjustments are necessary.
“Recognized security practices outlined in any potential guidance resulting from this RFI may not be required, but in the event of a HIPAA breach investigation, covered entities could certainly benefit from being able to show they have adhered to these practices,” Rush says.
Recognizing Good Work
OCR’s request for comment on the HITECH Act’s provision regarding “recognized security practices” represents a welcome effort to recognize the good work many covered entities are performing to bolster their cybersecurity through adoption of best practices and adherence to the National Institute of Standards and Technology and other industry standards, says W. Reece Hirsch, JD, partner with Morgan Lewis in San Francisco. However, it remains to be seen how much OCR actually takes recognized security practices into account to reduce penalties or forgo enforcement actions.
“The RFI is a bit of a double-edged sword. The focus on recognized security practices suggests a more even-handed, covered entity-friendly approach to HIPAA enforcement,” Hirsch says. “On the other hand, the focus on civil monetary penalties and settlement-sharing and the creation of a HIPAA whistleblower mechanism could lead to a spike in HIPAA enforcement activity.”
One issue to watch is how harm to the individual is defined under the HIPAA whistleblower process because that will form the basis for allocating settlement amounts.
“A broad interpretation of harm that goes beyond actual financial damages suffered would be likely to lead to a wave of HIPAA whistleblower complaints,” Hirsch says.
REFERENCE
- Office for Civil Rights. Considerations for implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act as amended. Federal Register. April 6, 2022.
SOURCES
- W. Reece Hirsch, JD, partner, Morgan Lewis, San Francisco. Phone: (415) 442-1422. Email: [email protected].
- Layna Cook Rush, CIPP/US, CIPP/C, Shareholder, Baker Donelson, Baton Rouge, LA. Phone: (225) 381-7043. Email: [email protected].
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.