OCR Requests Comment on Significant HIPAA Enforcement Rulemaking

Just one month remains to comment on the U.S. Department of Health and Human Services (HHS) Office for Civil Rights' (OCR) current Request for Information (RFI), which seeks public input on the implementation of two statutory provisions related to HIPAA:

• (1) How HIPAA-covered entities and business associates can adequately demonstrate the adoption of "recognized security practices" when OCR considers potential violations of the HIPAA Security Rule; and
• (2) How to distribute to harmed individuals portions of penalties and settlement amounts it collects.

Organizations may wish to comment in order to advocate for practical means of demonstrating the adoption of sound security practices and address thorny issues surrounding who is "harmed" and how they should be compensated, which could have wide-reaching consequences with respect to how many complaints OCR receives and how it resolves such complaints.

Comments are due by June 6, 2022.

Clarification of Recognized Security Practices

As an incentive for HIPAA-covered entities and business associates to improve their cybersecurity programs, Congress amended the HITECH Act in 2021 through Public Law 116-321, requiring OCR to consider "recognized security practices" that organizations "adequately demonstrate" were in place for the previous 12 months when making determinations regarding certain enforcement and audit activities to resolve potential violations of the HIPAA Security Rule. The RFI solicits comment on how covered entities and business associates understand and implement recognized security practices and how they anticipate adequately demonstrating that the recognized security practices are in place.

"Recognized Security Practices" are defined as "the standards, guidelines, best practices, methodologies, procedures, and processes developed under…" the National Institute of Standards and Technology (NIST) Act, the Cybersecurity Act of 2015, and other cybersecurity programs and processes developed, recognized, or promulgated through regulations under other statutory authorities. The statute does not require covered entities and businesses to implement recognized security practices nor provide criteria to use when determining which solutions to implement—however, recognized security practices must be consistent with Security Rule requirements.¹

Covered entities and business associates must also "adequately demonstrate" that the recognized security practices were in place for the prior 12 months for those entities to mitigate any potential OCR audit or enforcement action. OCR has clarified that it is not enough for a covered entity to merely adopt recognized security practices, but they must fully implement those practices so that they are "actively and consistently in use by the covered entity or business over the relevant period of time."² The statute, however, does not state what action marks the beginning of the 12-month lookback period.

The RFI sets forth several questions for public comment on implementing recognized security practices, which can be summarized as follows:

• What regulated security practices have been implemented or are planned to be implemented by HIPAA-regulated entities, and what standards, guidelines, or best practices do those entities rely upon for their implementation?
• Do covered entities consider "implementation" of recognized security practices throughout the enterprise to include servers, mobile applications, medical devices, and/or APIs?
• Once the recognized security practices have been completed, how do entities ensure that they are actively and consistently in use over the 12-month period?
• Are there any additional issues or information that the OCR should consider when developing guidance or proposed regulations?

In order to benefit from this statutory provision in the future and potentially receive reduced penalties or audits, organizations should consider how they can reasonably demonstrate implementation of an appropriate security framework and should provide comments supporting such an approach. For example, are there internal audit mechanisms and documentation that organizations can use to demonstrate continued implementation of recognized security practices?

Distribution of Civil Monetary Penalties or Monetary Settlements

OCR also is seeking public comment on how to define compensable individual harm resulting from HIPAA Rules violations, on appropriate methodologies to determine that harm, and on the appropriate distribution of payments to harmed individuals. Section 13410(c)(3) of the HITECH Act requires the HHS Secretary to establish a methodology for the distribution of a percentage of civil monetary penalties (CMP) or monetary settlement amounts collected for noncompliance with HIPAA Rules—however, the statute does not define "harm" or provide direction to HHS on how to define the term.

Traditionally, the amount of a CMP that OCR pursues varies based on the date and number of violations, the culpability of the entity, and the existence of certain mitigating and aggravating factors identified in the Enforcement Rule—which include physical, financial, and reputational factors and the ability to obtain healthcare.³ Notably, the Enforcement Rule also leaves open the possibility of other types of harm that are not included in the aforementioned categories. Unfortunately, the Enforcement Rule does not specifically define the listed harms, and the HITECH Act does not require the application of those same harms to a distribution methodology of CMPs or other monetary settlements to harmed individuals.

To assist in defining and quantifying compensable harm with respect to violations of HIPAA Rules, OCR has asked for public comment on the following:

• What constitutes compensable harm, and should it be limited to past harm, economic harm, or those listed as aggravating factors only, or should the definition be expanded to consider noneconomic harms, such as emotional harm?
  
  • How will these types of harm be proven and measured?
  • If there is no demonstrated injury-in-fact or economic harm, how will noneconomic harms be measured?
  • Should the potential for future harm be compensable?
• Are there any circumstances under which harm should be presumed, such as in instances of noncompliance with certain provisions of the HIPAA Rules? Conversely, are there circumstances where an individual should not be permitted to receive a portion of a CMP or monetary settlement?
• Should there be a minimum total settlement or penalty amount before the Department sets aside funds for distribution or a minimum amount available per harmed individual?
• For purposes of sharing part of a CMP or monetary settlement, should the Department recognize the harm of the release of information about a person who is the subject of the information, such as family member whose information is listed in an individual's family health history? Should that family member in the example receive a portion of a CMP or monetary settlement?

The HITECH Act also requires the HHS Comptroller General to submit recommendations for a methodology that can be used to determine the percentage of any CMP or monetary settlement received by an individual harmed by noncompliance with the privacy and security requirements related to protected health information.

The GAO recommended three models for consideration:

• (1) Individualized determination, which is based on the private civil action model in which the plaintiff bears the burden of proving both the plaintiff's harm and defendant's liability;
• (2) A fixed recovery model, where awards are generally fixed or calculated by a formula established by law; and
• (3) A hybrid model, which combines elements of the individualized determination and the fixed recovery model.

When choosing a methodology to address the harms outlined above, OCR has asked the following questions to determine what proposed methodology or sufficient alternative would be most appropriate:

• Should there be a minimum or maximum percentage or amount set aside for distribution? What factors should the Department consider in determining the total percentage of a CMP or monetary settlement that should be set aside for harmed individuals?
• How should notification to harmed individuals be provided and should that include the families or estate of a harmed individual?
• What should be the goal when selecting a distribution model? For example, should all harmed individuals be compensated or only those most harmed by noncompliance? Should there be a cap on the total percentage amount that any one individual can collect?
• Should the distribution methodology recognize and account for in-kind benefits, such as credit monitoring paid for by the entity as compensation for reducing the total distribution to those individuals? Should the methodology recognize the potential or actual compensation of individuals for the same action through other mechanisms outside of the distribution requirement?
• Should there be a timeframe associated with recovery or a right to appeal a decision not to disburse funds to the individual?

For better or worse, the distribution of penalties and settlements to harmed individuals has the potential to incentivize individuals to bring more HIPAA complaints and to pressure OCR to pursue financial enforcement in reaching a resolution. Additionally, defining who has been "harmed" by a privacy or security violation could provide precedent outside of HIPAA where many class action suits over security breaches have failed due to a lack of demonstrable harm.

Accordingly, organizations should carefully consider and comment on what types of privacy harms are appropriate for compensation and may wish to encourage OCR to continue its enforcement focus on voluntary compliance and technical assistance, notwithstanding any new pressures to obtain and distribute portions of financial penalties to harmed individuals.

Next Steps for Businesses and Other Stakeholders

Covered entities and business associates should evaluate how they can reasonably demonstrate the adoption of recognized security practices and how the distribution of settlements and penalties to harmed individuals could impact how OCR resolves future HIPAA complaints. We are happy to assist clients with preparing comments on these important HIPAA enforcement issues.

FOOTNOTES

1  See Section 13412(b)(1) of the HITECH Act, 42 U.S.C. 17941(b)(1).
2  See RFI Proposed Rules, Section (I)(A)(2).
3  See 45 CFR 160.408(b).