HHS’s Office for Civil Rights (OCR) has issued a request for information (RFI) seeking public comments on two provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act): the effect of recognized security practices, and sharing of penalty and settlement amounts with harmed individuals. OCR is responsible for administering and enforcing HIPAA’s privacy, security, and breach notification provisions. Comments must be submitted by June 6, 2022. Here are highlights of the RFI:
Recognized Security Practices. A 2021 HITECH Act amendment requires OCR to consider in security rule enforcement and audit activities whether a covered entity or business associate has adequately demonstrated that “recognized security practices” were in place for the prior 12 months. In applying this provision, OCR notes that it will consider only practices that the covered entity or business associate demonstrates were fully implemented, meaning that the practices were actively and consistently in use over the relevant period. Comments are requested on the types of practices that covered entities and business associates have adopted, and how they ensure that those practices have been implemented throughout the enterprise and were actively and consistently used over a 12-month period.
Penalties and Settlements. The HITECH Act significantly increased the civil monetary penalties for HIPAA violations (see our Checkpoint article). The law requires HHS to issue regulations establishing a method under which a percentage of any civil monetary penalty or settlement collected with respect to a violation of the privacy, security, or breach notification rules may be distributed to individuals harmed by the violation. Penalty determinations must be based on the nature and extent of violations and resulting harm, but the HITECH Act does not define “harm” or list criteria to aid in defining the term. HHS has identified a nonexhaustive list of the types of harm that may be considered aggravating factors in determining penalties: physical, financial, reputational, and impaired ability to obtain health care. The RFI seeks comments on, among other things, (1) the types of harm to be considered in distributing civil monetary penalties or settlement proceeds to harmed individuals (which may differ from the types of harm used to determine penalty amounts), (2) potential methods for allocating proceeds to harmed individuals, including public policy goals in selecting a method, (3) identification of harmed individuals, (4) reduction of distributions for individuals who are compensated through other mechanisms, and (5) minimum or maximum percentages or amounts set aside for distribution.
EBIA Comment: Regulations on sharing proceeds of HIPAA civil monetary penalties and settlements are more than 10 years overdue. The delay is likely attributable to the thorny issues involved in implementing a distribution method, as suggested by the topics listed in the RFI. Although OCR’s civil monetary penalties and settlement amounts may be large in the aggregate, they can be quite small per capita when a violation affects thousands or even millions of individuals. For example, the Anthem breach resulted in a $16 million settlement for a breach affecting 79 million individuals (see our Checkpoint article). In such cases, it could be impractical to distribute a percentage of the settlement proceeds to every affected individual. For more information, see HIPAA’s Portability, Privacy & Security manual at Sections XX (“Enforcement of Privacy, Security, and EDI Rules”) and XXIX.E (“Developing Your Security Program”).
Contributing Editors: EBIA Staff.