HHS Begins Implementing 2021 Legislation on Cybersecurity Practices and HIPAA Enforcement | Practical Law

HHS Begins Implementing 2021 Legislation on Cybersecurity Practices and HIPAA Enforcement | Practical Law

The Department of Health and Human Services (HHS) has begun implementing 2021 legislation that requires the agency, in enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to consider whether HIPAA covered entities (CEs) and business associates (BAs) have implemented and applied certain recognized security practices, including with regard to cybersecurity. An HHS request for information (RFI) on this topic also addresses a requirement under which individuals harmed by HIPAA noncompliance may receive a percentage of the penalties or money settlements collected as a result of the noncompliance.

HHS Begins Implementing 2021 Legislation on Cybersecurity Practices and HIPAA Enforcement

by Practical Law Employee Benefits & Executive Compensation
Published on 06 Apr 2022USA (National/Federal)
The Department of Health and Human Services (HHS) has begun implementing 2021 legislation that requires the agency, in enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to consider whether HIPAA covered entities (CEs) and business associates (BAs) have implemented and applied certain recognized security practices, including with regard to cybersecurity. An HHS request for information (RFI) on this topic also addresses a requirement under which individuals harmed by HIPAA noncompliance may receive a percentage of the penalties or money settlements collected as a result of the noncompliance.
HHS's Office for Civil Rights (OCR) has begun implementing 2021 legislation that requires the agency, in enforcing HIPAA, to consider whether HIPAA covered entities (CEs) and business associates (BAs) have implemented and applied certain recognized security practices—including with regard to cybersecurity (Pub. L. No. 116-321 (2021); see Legal Update, Legislation Requires HHS to Consider Entities' Cybersecurity Practices in Enforcing HIPAA and related press release). As an initial step in this process, HHS has issued a request for information (RFI) concerning CEs' and BAs' voluntary implementation of recognized security practices (87 Fed. Reg. 19833 (Apr. 6, 2022)).
HHS's RFI also addresses a requirement under which individuals harmed by HIPAA noncompliance may receive a percentage of the penalties or money settlements collected as a result of the noncompliance. (Regarding HIPAA compliance, see HIPAA Privacy, Security, and Breach Notification Toolkit.)

RFI Seeks Information on Recognized Security Practices

Overview of 2021 Legislation

The 2021 legislation amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to require HHS—in conducting audits or administering HIPAA penalties—to consider whether CEs and BAs have shown that, for a period covering at least the prior 12 months, the entities have implemented certain recognized security practices. The presence of such security measures may warrant:
The 2021 legislation defines "recognized security practices" to include:
  • Standards, guidelines, best practices, methodologies, procedures, and processes created under a provision of the National Institute of Standards and Technology (NIST) Act intended to cost-effectively reduce cyber risks (15 U.S.C. § 272(c)(15)).
  • Approaches developed under Section 405(d) of the Cybersecurity Act of 2015 (6 U.S.C. § 1533(d); see Practice Note, The NIST Cybersecurity Framework).
  • Certain other cybersecurity programs and processes developed under regulations that implemented related statutes.
A CE or BA determines the recognized security practices consistent with the HIPAA Security Rule.

Purpose of April 2022 RFI

HHS's RFI is intended to help the agency understand how CEs and BAs are voluntarily implementing recognized security practices, as defined under the 2021 legislation. Information received in response to the RFI will help HHS determine what potential information or clarifications may be needed—through future guidance or regulations—to help CEs and BAs understand how the 2021 legislation applies. To this end, the RFI seeks input on:
  • How CEs and BAs understand and are implementing recognized security practices.
  • How CEs and BAs plan to demonstrate that these practices are in place.
  • Other issues relevant to implementing the 2021 legislation.
HHS's RFI notes that the 2021 legislation does not:
  • Require CEs and BAs to adopt recognized security practices.
  • Offer criteria for use by CEs and BAs in selecting which of the three general categories of recognized security practices to implement.
However, the 2021 legislation does require that recognized security practices be consistent with the HIPAA Security Rule.

CEs and BAs Must Show Full Implementation of Recognized Security Practices

HHS's RFI emphasizes that cybersecurity threats are driving the need to safeguard electronic protected health information (ePHI). According to HHS, the 2021 legislation therefore is intended to encourage CEs and BAs to protect individuals' PHI—including through the adoption of robust cybersecurity practices. The RFI indicates that HHS will consider a CE or BA to have had recognized security practices "in place" for the prior 12 months if those practices are fully implemented. HHS will not view it as adequate for a CE or BA to merely establish and document its initial adoption of recognized security practices. For these practices to be considered by HHS in making determinations about penalties, audits, or other remedies, the CE or BA will need to show that its recognized security practices were actively and consistently in use by the CE or BA over the relevant timeframe.

Meaning of Previous 12 Months

As noted, the 2021 legislation requires HHS—in making determinations about fines, audits or other remedies in the HIPAA context—to consider whether a CE or BA has adequately demonstrated that its recognized security practices were in place for at least the previous 12 months. However, the 2021 legislation does not state what action triggers the start of the 12-month look-back period. As a result, this issue may be a topic of future HHS guidance.

RFI Questions for CEs and BAs

HHS's RFI seeks input on the following questions concerning the 2021 legislation:
  • What recognized security practices have CEs and BAs implemented?
  • If not currently implemented, what recognized security practices do entities plan to implement?
  • What standards, guidelines, best practices, methodologies, procedures, and processes developed under Section 2(c)(15) of the NIST Act do CEs and BAs rely on in establishing and implementing recognized security practices?
  • What approaches promulgated under Section 405(d) of the Cybersecurity Act of 2015 do CEs and BAs rely on in establishing and implementing recognized security practices?
  • What other programs and processes addressing cybersecurity—as developed, recognized, or developed through regulations to implement other statutes—do CEs or BAs rely on in establishing and implementing recognized security practices?
  • What steps do CEs take to ensure that recognized security practices are in place?
  • What steps are CEs taking to ensure that recognized security practices are in use throughout their enterprise?
  • Does enterprise-wide implementation include the use of technology such as servers, workstations, mobile devices, medical devices, apps, and application programming interfaces (APIs)?
  • What steps do CEs take to ensure that recognized security practices are actively, consistently, and continuously in use over a 12-month period?
HHS's RFI also seeks comment on any additional issues or information it should consider in developing guidance or proposed regulations on the consideration of recognized security practices.

Awarding Enforcement Penalties to Individuals Harmed by HIPAA Noncompliance

A second part of HHS's RFI addresses a HITECH Act requirement under which the agency must establish a method for distributing to individuals who are harmed by HIPAA noncompliance a percentage of the resulting penalty or monetary settlement (HITECH Act § 13410(c)(3)). The statute instructs HHS to base penalty amount determinations on the nature and extent of a violation and the resulting harm (though the statute does not define harm for this purpose).
In the HIPAA enforcement context, HHS considers certain kinds of harm to be aggravating factors in imposing civil money penalties on CEs or BAs for noncompliance (see Practice Note, HIPAA Enforcement: Penalties and Investigations: Factors in Determining Penalty Amount). However, HHS's RFI notes that the HITECH Act and HIPAA rules do not define harm either:
  • As a general matter.
  • For purposes of identifying and quantifying harm to determine an amount to be shared with individuals.
As a result, HHS's RFI seeks comments concerning:
  • How to define harm and what bases should be used for deciding which injuries are compensable.
  • The types of harms that should be considered in distributing civil money penalties and monetary settlements to harmed individuals.
  • Use of potential methods for distributing or sharing funds with harmed individuals (for example, individual-specific, fixed-recovery, or hybrid approaches).
A lengthy set of questions in HHS's RFI addresses:
  • What should constitute harm under the HIPAA rules.
  • Whether all types of harm should trigger the distribution requirement, or only certain ones.
  • The amount to be set aside or distributed to harmed individuals.

Practical Impact

For CEs and BAs that have already implemented recognized security practices (including in the cybersecurity context), the 2021 legislation is an opportunity to receive credit for doing so in the event of an HHS HIPAA enforcement action. As a result, these CEs and BAs may have an incentive to respond to HHS's RFI and help shape implementation of the 2021 legislation. Entities were required to provide their comments in response to HHS's RFI by June 6, 2022.