HHS wants healthcare industry feedback on security practices, penalties

The Department of Health and Human Services is seeking industry feedback on the security practices currently being employed by healthcare-covered entities and business associates, as detailed in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The RFI also requests comments on either information or clarifications HHS's Office of Civil Rights (OCR) could provide healthcare entities on implementing future security guidance or rule-making, as well as recommendations for possible methodologies on how civil monetary penalties could be shared with harmed individuals.

Enacted in 2009, HITECH promotes the adoption and meaningful use of health tech and includes a section that addresses the privacy and security concerns tied to electronic data-sharing meant to strengthen The Health Insurance Portability and Accountability Act (HIPAA). 

A 2021 modification decreased the length and extent of OCR audits, while mandating that HHS take into consideration whether entities that report a breach “adequately demonstrate” recognized security practices when they make a determination on penalties. Those with implemented standards may also see “favorable termination” of an OCR audit.

The HITECH modification defines the recognized security practices as those outlined in the NIST Cybersecurity Framework, including the guidelines, best practices, methodologies, and policies developed and implemented by the entity and consistent with HIPAA.

At the time, the amendment was lauded by healthcare leaders who’ve long noted that massive financial penalties would only further pull needed funds from cybersecurity programs, or could disregard the current threat landscape and penalize entities that fell victim to attacks despite implementing key security measures.

The rules are voluntary, meaning the relevant entities are not currently required to implement NIST best practices, nor does the rule “provide criteria for covered entities or business associates to use when selecting which category of recognized security practices to implement.” 

The statute instead requires the recognized security practices to be consistent with HIPAA Security Rule requirements. The aim of the modification was to essentially incentivize healthcare entities to adopt industry-standard cybersecurity measures, which aren’t found in HIPAA.

And as “the statute does not expressly require rulemaking,” HHS is seeking further feedback from healthcare leaders on the HITECH modification to “inform potential future guidance or rulemaking that may help stakeholders better understand the application of the statute.”

How do health organizations implement HITECH, HIPAA?

Covered entities and business associates are being asked to share how their organizations translated the statute and implemented the “recognized security practices,” along with their policies or plans to demonstrate the implementation and use of said security measures in the event of an audit. Leaders should also share pressing implementation issues they’d like OCR to clarify in the future.

OCR is also asking for input into certain elements of the statute that it believes could use clarification.

For example, the modification includes the phrasing “had… [recognized security practices] in place” and is equivalent to “implement[ed]” as used and clarified in the Security Rule.” OCR is concerned the measure doesn’t go far enough, as it’s “insufficient for a regulated entity to merely establish and document the initial adoption of recognized security practices.”

“For OCR to consider such practices when making determinations relating to penalties, audits, or other remedies, the entity must also demonstrate that the practices are fully implemented, meaning that the practices are actively and consistently in use by the covered entity or business associate over the relevant period of time,” the RFI explained.

Another concern is that the phrasing for the 12-month period, for which an entity must have the standards fully implemented, does not state what action prompts the start of that timeframe.

Entities are also being asked for input on the statute’s definition of harm, which wasn’t included in the modification, nor was HHS instructed to define the term. In particular, HHS is seeking to understand the types of harms that officials should consider when distributing civil monetary penalties or settlements to harmed individuals, as well as the suitability of this type of action.

OCR invites relevant entities to also submit recommended alternatives to these methodologies that they’ve possibly overlooked. The RFI includes several scenarios of OCR’s enforcement on HIPAA rules to help inform stakeholder comments.

The RFI thoroughly describes each consideration, addressing a host of concerns and recommendations discussed by industry stakeholder groups in recent years. Entities interested in sharing input with HHS OCR can do so until June 6, 2022.