wyrick.com

Any Port in a Storm? OCR Seeks Comments on HIPAA “Safe Harbor” for Recognized Security Practices

Earlier this month, HHS’s Office for Civil Rights (OCR) issued a Request for Information (RFI) seeking comments on a statutory provision adopted last year that provides a quasi-safe harbor for entities that have voluntarily implemented “recognized security practices” as part of their compliance with the Health Insurance Portability and Accountability Act (HIPAA) in the event of an OCR audit or enforcement action. The RFI, and any OCR guidance or rulemaking that results from it, could have important implications for covered entities’ and business associates’ efforts to comply with the HIPAA Security Rule.

Background

Under a 2021 amendment to the HITECH Act, covered entities or business associates that adequately demonstrate that they have implemented “recognized security practices” during the previous 12 months could receive mitigated fines in the event of an OCR action to enforce HIPAA, an early favorable termination of an audit, and mitigated remedies that would otherwise be agreed to with OCR to resolve potential violations of the HIPAA Security Rule. The HITECH amendment defines “recognized security practices” as the “the standards, guidelines, best practices, methodologies, procedures, and processes developed under [the NIST Act], the approaches promulgated under [the Cybersecurity Act of 2015], and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities” and that are “determined by the covered entity or business associate, consistent with the HIPAA Security rule.” The HITECH amendment does not expressly require rulemaking, however, and without any further detail on how OCR will interpret and apply the “recognized security practices” standard, its usefulness for covered entities and business associates in designing and implementing their security programs has been limited.

OCR’s RFI

In its RFI, OCR seeks comments to inform future guidance or rulemaking that it may issue to better inform interested parties on the application of the HITECH “recognized security practices” standard. To that end, OCR has asked for input on several questions, including:

  • What recognized security practices have regulated entities implemented? If not currently implemented, what recognized security practices do regulated entities plan to implement?
  • What standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act do regulated entities rely on when establishing and implementing recognized security practices?
  • What approaches promulgated under the Cybersecurity Act of 2015 do regulated entities rely on when establishing and implementing recognized security practices?
  • What other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities do regulated entities rely on when establishing and implementing recognized security practices?
  • What steps do covered entities take to ensure that recognized security practices are “in place”?
    • What steps do covered entities take to ensure that recognized security practices are in use throughout their enterprise?
    • What constitutes implementation throughout the enterprise (e.g., servers, workstations, mobile devices, medical devices, apps, application programming interfaces (APIs))?
  • What steps do covered entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?

Key Takeaways

The RFI offers covered entities and business associates a key opportunity to influence how OCR will interpret and implement the “recognized security practices” safe harbor. As OCR’s recent guidance on evolving cybersecurity threats shows, even a well-prepared organization could find itself the victim of a breach and resulting scrutiny from OCR. The safe harbor could thus have significant practical and legal benefits for covered entities and business associates.

The practical benefits could include greater clarity on what OCR expects when it comes to compliance with the HIPAA Security Rule, and a more detailed roadmap for organizations seeking to meet those expectations. And although the “recognized security practices” safe harbor might not serve as a “get out of jail free card” when it comes to OCR sanctions following a breach, the prospect of mitigated fines and other penalties will provide a strong legal incentive for organizations to implement any steps OCR determines need to be taken for the safe harbor to apply.

Interested parties that wish to submit comments in response to the RFI may do so on or before June 6, 2022. Those comments can be submitted electronically or by mail as set forth in the RFI. If you have questions about the RFI, or about how your organization can mitigate the risk associated with OCR audits or enforcements relating to the HIPAA Security Rule, please don’t hesitate to contact a member of our team.