HIPAA Enforcement: Use of Recognized Security Practices, Including for Cybersecurity | Practical Law

HIPAA Enforcement: Use of Recognized Security Practices, Including for Cybersecurity | Practical Law

In April 2022, the Department of Health and Human Services (HHS) began implementing 2021 legislation that requires the agency, in enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to consider whether HIPAA covered entities (CEs) and business associates (BAs) have implemented and applied certain recognized security practices, including with regard to cybersecurity. An HHS request for information (RFI) on this topic also addresses a rule under which individuals harmed by HIPAA noncompliance may receive a percentage of the money settlements or penalties collected as a result of the noncompliance.

HIPAA Enforcement: Use of Recognized Security Practices, Including for Cybersecurity

by Practical Law Employee Benefits & Executive Compensation
Law stated as of 22 Apr 2022USA (National/Federal)
In April 2022, the Department of Health and Human Services (HHS) began implementing 2021 legislation that requires the agency, in enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to consider whether HIPAA covered entities (CEs) and business associates (BAs) have implemented and applied certain recognized security practices, including with regard to cybersecurity. An HHS request for information (RFI) on this topic also addresses a rule under which individuals harmed by HIPAA noncompliance may receive a percentage of the money settlements or penalties collected as a result of the noncompliance.
In April 2022, the Department of Health and Human Service's (HHS's) Office for Civil Rights (OCR) began implementing 2021 legislation addressing how the agency enforces the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (see Practice Note, HIPAA Security Rule). The 2021 legislation requires HHS, in enforcing HIPAA's Security Rule, to consider whether HIPAA covered entities (CEs) and business associates (BAs) have implemented and applied certain recognized security practices, including with regard to cybersecurity (Pub. L. No. 116-321 (2021); see related press release and Legal Update, Legislation Requires HHS to Consider Entities' Cybersecurity Practices in Enforcing HIPAA).
As a first step in this process, HHS issued a request for information (RFI) concerning CEs' and BAs' voluntary implementation of recognized security practices (87 Fed. Reg. 19833 (Apr. 6, 2022)). HHS's RFI also addresses a requirement under which individuals harmed by HIPAA noncompliance may receive a percentage of money settlements or civil money penalties (CMPs) collected as a result of the noncompliance (see Awarding Enforcement Penalties to Individuals Harmed by HIPAA Noncompliance).

HHS Enforcement of HIPAA Rules

The 2021 legislation expands on HHS's existing enforcement of:
Collectively, these requirements are referred to as the HIPAA Rules. For more information on group health compliance with the HIPAA Rules, see HIPAA Privacy, Security, and Breach Notification Toolkit.
HHS enforces the HIPAA Rules by:
  • Investigating submitted complaints.
  • Performing compliance reviews of potential violations by CEs and BAs.
These enforcement efforts may result in negotiated settlement agreements with CEs and BAs that include corrective action plans and the imposition of CMPs. For more information, see Practice Notes, HIPAA Enforcement: Penalties and Investigations and HIPAA Enforcement: Settlement Agreements.
Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), as implemented, there are four tiers of violations that reflect increasing levels of culpability by a CE or BA (see Practice Note, HIPAA Enforcement: Penalties and Investigations: Four Tiers of Violations and Penalty Amounts).
Subject to calendar year caps, the penalty amounts that HHS imposes may vary based on:
  • The date and number of violations.
  • The CE's or BA's culpability.
  • The existence of certain mitigating and aggravating factors (including harm to an individual).
(45 C.F.R. §§ 160.404, 160.406, and 160.408.)

RFI Seeks Information on Recognized Security Practices

Overview of 2021 Legislation

The 2021 legislation amended the HITECH Act to require HHS, in making determinations about penalties, audits, and remedies regarding potential violations of HIPAA's Security Rule, to consider whether CEs and BAs have shown that, for a period covering the prior 12 months, the entities have implemented certain recognized security practices (HITECH Act § 13412; see Practice Note, HIPAA Security Rule). Regarding the HIPAA Security Rule, the presence of these security measures may warrant:
The 2021 legislation defines "recognized security practices" to include:
  • Standards, guidelines, best practices, methodologies, procedures, and processes created under a provision of the National Institute of Standards and Technology (NIST) Act intended to cost-effectively reduce cyber risks (15 U.S.C. § 272(c)(15); see Practice Note, The NIST Cybersecurity Framework).
  • Approaches developed under Section 405(d) of the Cybersecurity Act of 2015 (6 U.S.C. § 1533(d)).
  • Certain other cybersecurity programs and processes developed under implementing regulations for related statutes.
A CE or BA determines the recognized security practices consistent with the HIPAA Security Rule.

Purpose of April 2022 RFI

HHS's RFI is intended to help the agency understand how CEs and BAs are voluntarily implementing recognized security practices, as defined under the 2021 legislation. Information received in response to the RFI will help HHS determine what potential information or clarifications may need to be issued in future guidance or regulations to help CEs and BAs understand how the 2021 legislation applies. However, the 2021 legislation does not expressly require HHS to issue implementing regulations addressing the legislation's requirements. Moreover, HHS does not discuss at length in the RFI:
  • The extent to which the agency is already taking CEs' and BAs' recognized security practices into account in its enforcement efforts.
  • What the agency has learned from its existing experience (if any) in enforcing the requirement.
To this end, the RFI seeks input on:
  • How CEs and BAs understand and are implementing recognized security practices.
  • How CEs and BAs plan to demonstrate that these practices are in place.
  • Other issues relevant to implementing the 2021 legislation.
HHS notes in its RFI that the 2021 legislation does not:
  • Require CEs and BAs to adopt recognized security practices (that is, CEs and BAs are not subject to liability for choosing not to use recognized security practices).
  • Offer criteria for use by CEs and BAs in selecting which of the three general categories of recognized security practices to implement.
However, the 2021 legislation does require that recognized security practices be consistent with the HIPAA Security Rule.

CEs and BAs Must Show Full Implementation of Recognized Security Practices

HHS's RFI emphasizes that cybersecurity threats are driving the need to safeguard electronic protected health information (ePHI). According to HHS, the 2021 legislation therefore is intended to encourage CEs and BAs to protect individuals' PHI, including by adopting robust cybersecurity practices. The RFI indicates that HHS considers a CE or BA to have recognized security practices in place for the prior 12 months if those practices are fully implemented. HHS does not view it as adequate for a CE or BA to merely establish and document its initial adoption of recognized security practices. For these practices to be considered by HHS in making determinations about penalties, audits, or other remedies, the CE or BA must show that its recognized security practices were actively and consistently in use by the CE or BA during the relevant timeframe.

Meaning of Previous 12 Months

The 2021 legislation requires HHS, in making determinations about fines, audits, or other remedies in the HIPAA security context, to consider whether a CE or BA has adequately demonstrated that its recognized security practices were in place for the previous 12 months. However, the 2021 legislation does not state what action triggers the start of the 12-month look-back period. As a result, this issue may be a topic of future HHS guidance.

Specific Questions for CEs and BAs on Recognized Security Practices

HHS's RFI seeks input, including from CEs and BAs, on a lengthy set of questions concerning the 2021 legislation. For CEs and BAs, the RFI offers insight into the issues HHS is considering in future guidance. For example, one set of questions addresses issues about CEs' and BAs' implementation of recognized security practices, including:
  • What recognized security practices have CEs and BAs implemented?
  • If not currently implemented, what recognized security practices do entities plan to implement?
  • What standards, guidelines, best practices, methodologies, procedures, and processes developed under Section 2(c)(15) of the NIST Act do CEs and BAs rely on in establishing and implementing recognized security practices?
  • What approaches under Section 405(d) of the Cybersecurity Act of 2015 do CEs and BAs rely on in establishing and implementing recognized security practices?
  • What other programs and processes addressing cybersecurity (as recognized or developed in regulations to implement other statutes) do CEs or BAs rely on in establishing and implementing recognized security practices?
  • What steps do CEs take to ensure that recognized security practices are in place (and in place throughout the CEs' enterprises)?
  • Does enterprise-wide implementation include the use of technology, such as servers, workstations, mobile devices, medical devices, apps, and application programming interfaces (APIs)?
  • What steps do CEs take to ensure that recognized security practices are actively, consistently, and continuously in use during a 12-month period?
HHS's RFI also seeks comment on any additional issues or information the agency should consider in developing guidance or proposed regulations on its consideration of recognized security practices.

Awarding Enforcement Penalties to Individuals Harmed by HIPAA Noncompliance

HHS's April 2022 RFI also addresses a provision under the 2021 legislation that requires a percentage of monetary settlements or CMPs collected under the HITECH Act to be distributed to individuals harmed by HIPAA noncompliance (HITECH Act § 13410(c)(3)). Specifically, the 2021 legislation requires HHS to establish a method, based in part on recommendations from the Government Accountability Office (GAO), under which individuals harmed by privacy or security-related noncompliance with the HITECH Act may receive a percentage of any monetary settlement or CMP collected by OCR regarding the offense (HITECH Act § 13410(c)(2); see Three Potential Methods for Distributing Funds to Individuals). The 2021 legislation requires HHS to base penalty amount determinations on the nature and extent of a violation and the resulting harm.
Among other issues, HHS's RFI seeks comments on:
  • How HHS should define compensable individual harm resulting from violations of the HIPAA Rules.
  • Methods and policies for distributing payments to harmed individuals.
In the HIPAA enforcement context, HHS considers certain kinds of harm to be aggravating factors in proposing settlement agreements or CMPs for noncompliance by CEs or BAs (see Practice Note, HIPAA Enforcement: Penalties and Investigations: Factors in Determining Penalty Amount). Specifically, the four types of harm are:
  • Physical harm.
  • Financial harm.
  • Reputational harm.
  • Harm that impairs an individual's ability to obtain health care.
However, HHS may consider other relevant factors (in addition to the four listed types of harm) in determining the nature and extent of harm involved.
The HITECH Act and HIPAA rules do not define harm either:
  • As a general matter.
  • In identifying and quantifying harm to determine an amount to be shared with individuals.
At a minimum, however, there must be a relationship between the harm at issue and noncompliance with the HIPAA Rules.
As a result, HHS's RFI also seeks comments concerning:
  • How to define harm and what bases should be used for deciding which injuries are compensable.
  • Which kinds of harm make an individual eligible to receive a distribution.
  • The types of harms that should be considered in distributing money settlements and CMPs to harmed individuals.
  • Use of potential methods for distributing funds with harmed individuals (for example, individual-specific, fixed-recovery, or hybrid approaches) (see Three Potential Methods for Distributing Funds to Individuals).

General Principles for Distributing Funds to Individuals

In establishing a method to distribute funds to individuals, HHS must consider issues that may limit the funding available to harmed individuals. For example, HHS's analysis must reflect that:
  • The HITECH Act does not guarantee or require that harmed individuals be made whole by the sharing of monetary settlements or CMPs.
  • HIPAA does not contain a private right of action under which individuals may sue a CE or BA for violating their privacy rights (although HIPAA also does not prevent this remedy under state law) (see Practice Note, HIPAA Privacy and Security (Individual Rights): Right of Accounting and Other Rights: No Private Cause of Action for HIPAA Violations).
  • HHS is limited by statute regarding the total amount of CMPs it can pursue for each alleged violation of the HIPAA Rules.
  • Because HHS is not required to pursue an enforcement action for every potential violation of the HIPAA Rules, not every harm caused by a potential violation can be redressed.

Three Potential Methods for Distributing Funds to Individuals

Based on the GAO's recommendations, HHS is considering three potential methods for distributing funds to harmed individuals. These methods are:

Individualized Determination Method

The individualized determination method is based on the US's private civil action system, under which a plaintiff bears the burden of proof regarding:
  • The harm suffered by the plaintiff (including the nature and extent of the harm).
  • Liability incurred by the defendant.
Under this model, evidence addressing the nature and extent of harm may result in an award of compensation to a plaintiff. This process may sometimes involve juries.
In class actions, which are a variation of the individual determination method:
  • A group of similarly harmed individuals pursue their claims together.
  • The burdens of proof for harm and liability continue to be borne by plaintiffs.
  • Awards are shared among the class of harmed individuals and are often based on a fixed percentage of the total recovery amount.
For example, an individual assessment approach is used by the Consumer Financial Protection Bureau (CFPB) to distribute monetary awards for economic harms. The CFPB is authorized to oversee and regulate consumer financial products and services, including by directing funds into the Consumer Financial Civil Penalty (CFCP) Fund. These funds may then be used to compensate individuals (in that context, victims) harmed by an activity for which the CFPB imposed penalties.

Fixed Recovery Method

Under the fixed recovery model:
  • Awards are typically fixed or calculated by a formula established by law.
  • Recovery is based on the prescribed formula.
Under the Black Lung Benefits Act (BLBA), for example, coal miners and their dependents may receive benefits for disability or death due to black lung disease (pneumoconiosis) resulting from employment in coal mines. An individual or family may receive an award under the BLBA by first providing medical evidence of the medical condition. Monetary recovery under the BLBA:
  • Is based on a statutory formula.
  • May be reduced if an individual receives compensation for the condition from other sources (for example, worker's compensation).
Unlike the individual determination method, an individual's recovery is not different because of the individual's specific economic or noneconomic harm.

Hybrid Method

As its name suggests, a hybrid method:
  • Combines elements of the individualized determination and fixed recovery methods.
  • May be useful in addressing uncertainty about the types of harm that can be demonstrated with evidence.

Specific Questions on Distributing Funds to Harmed Individuals

HHS's RFI seeks input on a lengthy set of questions involving distributing funds to individuals harmed by noncompliance with the HIPAA Rules. These questions include:
  • What should constitute harm for violations of the HIPAA rules (for example, should harm be restricted only to past harm or should future harm also be compensable)?
  • Should some types of future harm not be recognized as compensable (for example, an individual with only a risk of future harm)?
  • Should both economic and noneconomic types of harm (for example, emotional harm) be compensable?
  • Should harm be restricted to the specified aggravating factors in assessing CMPs (physical, financial, reputational, and ability to obtain health care)?
  • What amount of funds should be set aside or distributed to harmed individuals?
  • Should HHS allow individuals to include actual and perceived harm, which may vary based on the context and individual, so that different individuals may suffer different amounts of harm although they suffered the same loss of privacy?
  • Should HHS presume that harm exists in some situations (for example, for noncompliance with certain provisions under the HIPAA Rules)?
  • Should noncompliance with certain HIPAA Rules generally be presumed not to have harmed individuals (for example, noncompliance with the workforce training rules, unless accompanied by an impermissible use or disclosure of PHI)? For more information, see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials.
  • Should individuals be required to offer evidence of harm before receiving part of a monetary settlement or CMP (if so, what type of evidence is sufficient to demonstrate compensable harm)?
  • Should HHS recognize as compensable harm the release of health information about a person other than the individual who is the subject of the information (for example, if a family member's information was included in an individual's record as family health history)?
  • Should individuals not the subject of the released information be allowed to receive a portion of the monetary settlement or CMP?

Limiting the Amount of Funds Distributed to Individuals

The HITECH Act does not address the appropriate amount to be distributed to individuals, aside from requiring that it be a percentage of the settlement or CMP. HHS notes that other federal administrative agencies have established various approaches regarding this issue. For example, the CFPB:
  • Does not impose limits on the amount that is available for distribution to victims.
  • Requires that payments be practicable.
By contrast, the Securities and Exchange Commission (SEC):
  • Uses discretion about whether to use penalty amounts to compensate investors for losses.
  • Returns remaining amounts to the Treasury.
As a result, several questions in HHS's RFI involve the factors to be considered in developing a method to calculate an amount to be set aside for distribution to individuals. In this regard, HHS asks whether there are circumstances in which funds should not be set aside for distribution? HHS also asks whether there should be:
  • A minimum total settlement or penalty amount before HHS sets aside funds for distribution?
  • A minimum amount available per harmed individual before funds are provided for distribution?
  • A minimum or maximum percentage or amount set aside for distribution?
One question addresses what role HHS's ongoing ability to support enforcement activities should play in determining whether there is a minimum total settlement or penalty amount before HHS sets aside funds for distribution.
Another question involves what factors HHS should consider in determining the total percentage of a settlement or CMP that should be set aside for harmed individuals.

Calculating the Total Percentage of Penalties for Distribution

Other questions in the RFI involve the factors that HHS should consider in calculating the total percentage of a settlement or CMPs to set aside for harmed individuals. For example, HHS asks whether the percentage set aside should:
  • Depend on how many individuals may have been harmed and the amount or type of harm?
  • Be based on a fixed percentage or another factor?
  • Reflect HHS's ability to conduct future enforcement efforts with the remaining funds?
Additional questions address how to notify affected individuals that a monetary distribution may be available. These questions include:
  • How should harmed individuals be notified that they may be eligible for distributions?
  • Should the family or estate of deceased individuals be notified?
  • For individuals who cannot be located and notified within the applicable distribution timeframe, should these individuals be allowed to receive a distribution at a later time?
Regarding distribution methods, HHS asks whether its method should:
  • Ensure that all harmed individuals receive compensation?
  • Provide greater distributions to individuals most harmed by the noncompliance?
  • Set a cap on the total percentage amount that any individual may collect (so that all harmed individuals receive a distribution)?
  • Account for in-kind benefits (for example, credit monitoring pay for by a CE or BA) as compensation that reduces the amount of a distribution an individual receives?
  • Allow individuals to appeal disbursement decisions by fund administrators (for example, if the administrator concludes that the individual did not sustain enough harm to warrant compensation)?
Other questions in the RFI address administrative issues in disbursing funds. For example, these questions ask if:
  • HHS should impose specific timeframes after a settlement or the imposition of penalties within which individuals must submit claims for settlement proceeds?
  • Timeliness requirements should be evaluated on a case-by-case basis (for example, based on factors such as how many individuals were affected by a violation)?
HHS also seeks comments on any additional factors or information it should factor in developing a method for distributing a percentage of settlements or CMPs with harmed individuals.

Opportunity for CEs and BAs to Shape Future Guidance

For CEs and BAs that have already implemented recognized security practices (including in the cybersecurity context), the 2021 legislation is an opportunity to receive credit for doing so in the event of an HHS HIPAA enforcement action. As a result, these CEs and BAs may have an incentive to respond to HHS's RFI and help shape implementation of the 2021 legislation. Commenters must provide their comments in response to HHS's RFI by June 6, 2022.