The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released a Request for Information (RFI) to obtain industry feedback and inform potential future rulemaking regarding information security practices and civil money penalties (CMPs) under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the HIPAA Security Rule. OCR is seeking input on how HIPAA covered entities and business associates are operationalizing “recognized security practices” as defined by Public Law 116-321. It is also requesting commentary on the methodologies used to disperse CMPs to individuals harmed by violations of certain privacy or security provisions of the HITECH Act or the Social Security Act, which we will cover in a separate post.
Definition of Recognized Security Practices
“Recognized security practices” are defined by Public Law 116-321 to mean:
- Standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act;
- The approaches promulgated under section 405(d) of the Cybersecurity Act of 2015; and
- Other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.
Section 2(c)(15) of the NIST Act and Section 405(d) of the Cybersecurity Act of 2015 are not prescriptive with respect to how entities implement specific security standards. Section 2(c)(15) of the NIST Act allowed the NIST Director to develop the NIST Cybersecurity Framework (CSF) version 1.0 in 2014, which was later updated as version 1.1 in 2018. For entities that have adopted the NIST CSF as part of its recognized security practice implementation, NIST released its own RFI in February 2022, seeking industry commentary on updates to the CSF since the last update had occurred in 2018. Additionally, HHS launched a website in December 2021 that would serve as a central resource for the HHS 405(d) Aligning Health Care Industry Security Approaches Program.
Requirements for Covered Entities and Business Associates
Covered entities and business associates are not statutorily required to implement recognized security practices, but their practices must still be consistent with the HIPAA Security Rule, which, among other requirements, mandates that these entities maintain “reasonable and appropriate” administrative, technical, and physical safeguards for protecting electronic protected health information.
Effective January 5, 2021, Public Law 116-321 amended Part 1 of subtitle D of the HITECH Act by adding Section 13412 and directed the Secretary of HHS to take into account whether covered entities and business associates have “adequately demonstrated” that they have recognized security practices in place for at least the previous 12 months. The Secretary’s consideration of recognized security practices for the prior 12 months also takes into account whether the entity had fully implemented these practices, as opposed to merely initially adopting and documenting the existence of the practices.
Impact on HHS’ Determination of Fines and Penalties
Covered entities and business associates have significant reason to implement recognized security practices across their respective enterprises because the Secretary can account for which practices were in place when determining potential fines, penalties, and other remedies. Specifically, such implementation may reduce penalties and corrective action obligations in the event of Privacy and/or Security Rule violations, including: (i) mitigating fines under section 1176 of the Social Security Act; (ii) securing early, favorable terminations of OCR Privacy and Security Rule audits; and (iii) reducing covered entities or business associates’ obligations in settlement agreements with HHS.
OCR communicated that it understood that stakeholders may need additional information or clarification around OCR’s implementation of Public Law 116-321. In an effort to inform potential future guidance or rulemaking in connection with the law, OCR queried these entities on areas such as how they have implemented recognized security practices, which standards or guidelines they had relied upon, or how they have put these practices into effect across their organizations.
The information that OCR receives in response to this RFI will help shape its expectations around covered entity and business associate use of recognized security practices. As such, covered entities and business associates should monitor RFI responses, OCR feedback and commentary, as well as any resulting regulatory developments to ensure that their security practices are aligned with what OCR perceives to be the standard across the industry.