On April 6th, 2022, a HIPAA-regulatory Request for Information (RFI) was released by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) soliciting feedback from the public for future rulemaking. The RFI seeks information on how the industry views “recognized security practices,” and on OCR’s compensating individuals based on harm they suffer from a HIPAA violation. Using input from the RFI, the OCR will develop rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
By way of brief background, in 2009 HITECH was enacted by congress to expand HIPAA’s enforcement and breach notification rules, increasing fines that regulated entities and business associates could encounter. OCR’s enforcement activities have ramped-up dramatically since the passage of HITECH. In 2021, HITECH was amended to require the OCR to consider, when assessing fines, whether the entity had implemented “recognized security practices” at least 12 months before the HIPAA violation occurred.
Firstly, HITECH notes that implemented “recognized security practices” will be considered when determining the amount in fines for a HIPAA violation, but it fails to provide healthcare entities a concrete framework of acceptable “recognized security practices.” In addition, HITECH does not clarify what action initiates the beginning of the 12-month period of adopted “recognized security practices.” Consequently, the OCR issued the RFI seeking comments as to the types of security practices that it should consider as mitigating factors.
Second, HITECH requires the OCR to issue a percentage of any civil monetary penalty or monetary settlement OCR collects to the individual harmed by the violation. Yet, HITECH fails to define what types of “harm” should be compensable under HITECH, and other issues related to the penalty sharing. The RFI comments seek input on issues related to this statutory standard, including which methodology the OCR should implement to allocate the appropriate amount of compensation for harmed individuals.
OCR has requested feedback on three potential compensation models. First, the Individualized Determination Model requires the harmed individual to provide adequate evidence that justifies a monetary award, with the amount dependent on the extent of harm found on a case-by-case basis. Next, the Fixed Recovery Model awards all victims with a fixed amount. Finally, the Hybrid Model combines both the previous models by setting a fixed amount of compensation with the opportunity for increased awards based on evidence of assessable harm.
OCR’s penalty sharing rules, when finalized, are likely to change the HIPAA enforcement landscape further dramatically, as plaintiff attorneys and harmed individuals lobby OCR for more enforcement/more penalties (and hence more money to share).
For more information on the RFI, please see HIPAA RFI Opens Door to HIPAA ‘Class Actions’ and Security Rule Changes, authored by Clinton Mikel for the American Bar Association, Health Law Section.
Covered entities and business associates should proactively work to ensure their HIPAA compliance.