Healthcare Groups Provide Feedback on HITECH Recognized Security Practices
Earlier this year, the HHS’ Office for Civil Rights issued a request for information (RFI) on how the financial penalties for HIPAA violations should be distributed to individuals who have been harmed by those HIPAA violations, and the “recognized security practices” under the amended Health Information Technology for Economic and Clinical Health (HITECH) Act. The comment period has now closed, and OCR is considering the feedback received.
It has long been OCR’s intention to distribute a proportion of the funds raised through its HIPAA enforcement actions to victims of those HIPAA violations; however, to date, OCR has not developed a methodology for doing so and requested feedback on a method for distributing the funds to ensure they are directed to victims effectively.
In January 2021, the HITECH Act was amended by Congress to encourage healthcare organizations to adopt recognized security practices. The amendment called for the Secretary of the Department of Health and Human Services to consider whether recognized security practices had been adopted by a HIPAA-regulated entity for no less than 12 months previously, when making certain determinations. Recognized security practices are those outlined by the National Institute of Standards and Technology (NIST), HIPAA Security Rule, and privacy and security frameworks.
Essentially, if recognized security practices have been adopted and have been continuously in place for at least 12 months, financial penalties could be reduced or avoided altogether, and the length and extent of audits and compliance investigations would be reduced.
Feedback from Healthcare Industry Groups
Several healthcare industry groups responded to the RFI and provided feedback, including the Healthcare Information and Management Systems Society (HIMSS), Medical Management Association MGMA, and the Connected Health Initiative (CHI).
HIMSS has welcomed the amendments to the HITECH Act and in its letter to the HHS stressed the importance of a unified approach to healthy cybersecurity and information privacy practices, as emphasized in the HITECH Security Practices.
HIMSS recommended “OCR implement policies that only afford enforcement discretion to situations involving use of security best practices as that discretion applies to safeguarding electronic protected health information (PHI) and not to other areas that are within the scope of HIPAA.”
HIMSS recommends OCR should foster innovation in standards by recognizing the value of adherence to widely accepted cybersecurity frameworks and standards, such as the NIST Cybersecurity Framework and the HITRUST Common Security Framework, rather than trying to define a fixed set of cybersecurity practices, which has the potential to become outdated in a rapidly changing threat landscape. OCR should also align its work with other federal agencies to improve best practices for healthcare.
HIMSS expressed concern that “a strict interpretation of security practices in place continuously over a 12-month period could have the unintended consequence of discouraging the adoption of new methods during that time frame.” HIMSS stressed the importance of encouraging organizations to update security practices regularly as new technologies or methodologies emerge and giving them the flexibility to update processes throughout the year to meet ever-changing cybersecurity best practices without fear that they may run afoul of the requirement for consistent and continuous use. “HIMSS recommends OCR distinguish between confirming that a control is in place and narrowly defining how the control is implemented.”
With respect to the financial penalties, HIMSS suggested OCR should earmark some of the fine amounts for helping to fund and distribute educational materials and other resources to HIPAA-regulated entities to ensure that all organizations have the knowledge and resources to prevent or mitigate cyberattacks.
MGMA explained in a letter to HHS Secretary Xavier Becerra that it represents a wide range of medical groups and hundreds of thousands of physicians, and has been working diligently to improve education on cybersecurity best practices. MGMA said its members are becoming more vigilant and are voluntarily taking steps to protect themselves and their patients and welcomes the efforts of the HHS to understand and consider those measures when making certain determinations.
MGMA has made three key recommendations. The HHS should provide HIPAA-regulated entities with the flexibility to choose which recognized security practices to adopt, as there are vast differences in the technical and financial capabilities of medical groups, which can include small private practices in rural areas to large regional and national health systems, and the full spectrum of physician specialties and organizational forms. If specific recognized security systems are required, there could be unintended consequences stemming from the increased cost and administrative burden. Medical groups need to balance security with their ability to stay financially viable and avoid interruptions to patient care. MGMA has recommended the HHS does not mandate what constitutes recognized security practices any further, and that the HHS should accept and not limit the broad statutory definition of the term recognized security practices.
MGMA has requested OCR provide best practices and education, including sample frameworks and checklists, that include real-world approaches for medical groups to implement acknowledged cybersecurity policies into their practices, and has also requested the HHS ensure potential requirements are consistent with other programs, such as the Office of National Coordinator for Health Information Technology (ONC) rulemaking to prohibit “information blocking.”
CHI said it supports OCR’s efforts to encourage the adoption of recognized security practices and for those practices to be considered as a mitigating factor when investigating data breaches, complaints, and reviews for potential HIPAA violations, but suggests that the 2021 HITECH Act revision should only apply to HIPAA compliance enforcement actions and audits.
Since current security standards will evolve over time, CHI recommends that OCR consider new and emerging risk management security standards in its recognized security practices, rather than specifying a set of security practices. CHI has also requested OCR provide up-to-date and clear information on the obligations of healthcare organizations under HIPAA, in light of the many changes that have occurred across the industry since the HITECH Act was passed, including changes to technology.
For instance, the HIPAA Privacy and Security Rules were introduced prior to the release of the first iPhone, and there is a lack of clarity about how HIPAA applies to mobile environments, which can deter healthcare providers from adopting patient-centered technologies and can prevent patients from fully benefiting from mobile technologies. Further guidance is needed to help healthcare providers adopt new technologies that enable care coordination and ensure compliance.
“OCR has created key guidance for mobile developers and those interested in the intersection between information technology and healthcare. OCR’s outreach focus is an educational campaign for that community, and we see vast improvement in the understanding, from connected health companies, of their roles and responsibilities under the HIPAA Privacy Rules,” explained CHI. However, similar educational campaigns are required for providers and patients.
CHI has requested the HHS make no revisions to the HIPAA Privacy Rule that require disclosures for any additional purposes besides to the individual when the individual exercises his/her right of access under the Rule, or to HHS for purposes of enforcement of the HIPAA Rules, as this could place an unnecessary burden on HIPAA-regulated entities and could lessen the protections for the privacy of individuals’ PHI.
CHI has also requested OCR provide sample business associate agreement language for developers and providers and should ensure that HIPAA does not prevent innovations in AI technology.