Comment To OCR By 6/6 To Help Shape How OCR Implements HITECH Act Recognized Security Practices Standards For Purposes Of Setting Civil Monetary Penalties Under HIPAA Security Rules.

April 29, 2022

June 6, 2022 is the deadline for health plans, their sponsors, fiduciaries, administrative and other business associates and others to provide input to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) that OCR says it seeks to help shape how it defines and implements the “recognized security standards” requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021 for purposes of its administration and enforcement of civil monetary penalty and other provisions of of the Health Insurance Portability and Accountability Act (“”HIPAA”). The regulatory and enforcement decisions that OCR makes could significantly impact the civil monetary penalty liability, compliance, audit and recordkeeping responsibilities that health plans, health care providers, health care clearinghouses and their business associates (“Covered Entities”) face under the HIPAA Security and Breach Notification Rules.

OCR is inviting public input on two issues under the OCR Request for Information on Considerations for Implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act, as Amended (RFI) released April 6, 2022:

  • The definition and administration of the “recognized security practice” factor the HITECH Act requires OCR to consider when assessing audit results, civil monetary penalty and settlement amounts and other HIPAA Security and Breach Rule enforcement; and
  • The rules that OCR will follow to determine when and how OCR will share portions of amounts it receives from civil monetary penalties or settlements with individuals harmed by breaches of electronic protected health information, 

Recognized Security Practices

Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates1 when determining potential fines, audit results, or other remedies for resolving potential violations of the HIPAA Security Rule pursuant to an investigation, compliance review, or audit. 

A primary goal of the requirement, which took effect January 5, 2021, is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”

The RFI solicits comment on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.

Civil Money Penalty (CMP) and Settlement Sharing

Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to that offense.

Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term.

The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.

Comments Due 6/6

Health plan and other Covered Entity input could significantly impact how OCR implements and administers these two important aspects of the HIPAA Security Rule going forward.  As these decisions are likely to significantly impact the policies, practices, recordkeeping, breach investigation and other obligations that Covered Entities would need to meet in the event of an audit, breach or other investigation or enforcement, timely, thoughtful input from all Covered Entities and affected stakeholders is important.  In addition, its decisions on how to distribute CMPs.

For more information about the RFI or instructions for submitting comments, see here.

Health Plan Security & Breach Exposures Beyond HIPAA

Beyond the significant exposures health plans and their business associates may face under HIPAA, recent Department of Labor Employee Benefit Security Administration (“EBSA”) guidance also signals growing risks for health plans and their fiduciaries under the Employee Retirement Income Security Act of 1974. See e.g., HIPAA & ERISA Fiduciary Rules Drive Imperative To Protect Health Plan Data & Systems From Hacking & Other Cyber Threats.

These are just some of the emerging health plan compliance risks and responsibilities that health plan, their fiduciaries, sponsors, administrators, service providers and insurers need to watch and manage. Amber M. Rivers, Director of the Employee Benefit Security Administration Office of Health Plan Standards and Compliance will discuss these and other risks during the “Department of Labor Health Plan Compliance and Enforcement Update” at a virtual program hosted by the American Bar Association Joint Committee on Employee Benefits from Noon to 1:30 p.m. Central Time on May 5, 2022 to be moderated by Solutions Law Press, Inc. author and publisher, attorney Cynthia Marcotte Stamer will moderate the program.

For additional information about or to register for this program, see here.

More Information.

For additional information about the requirements or concerns discussed in this article, republication or other related matters, please contact the author, employment lawyer Cynthia Marcotte Stamer via e-mail, via telephone at (214) 452 -8297 or on LinkedIn.

Solutions Law Press, Inc. invites you to receive future updates by registering here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for management work, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, well-known for her extensive work with health and other employee benefits, health care and life sciences, insurance, financial services, technology, and other highly regulated and performance reliant organizations and their leadership, Ms. Stamer works with these and other businesses and their management, employee benefit plans, insurers, health care and life sciences, governments and other organizations deal with all aspects of health care, human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, Form I-9 and other compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, internal controls, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. her more than 30 years’ of experience encompasses domestic and international businesses of all types and sizes.

Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a practicing attorney, as well as as an industry, policy management consultant, and policy strategist as well through her leadership participation in professional and civic organizations. Examples of her many leadership involvements include service as the Vice President and Executive Director of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; Vice Chair of the ABA International Law Section Life Sciences and Health Committee; Vice Chair of the ABA Tort & Insurance Practice Section Medicine and Law Committee and former Vice Chair of its Employee Benefits Committee and its Worker’s Compensation Commitee; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, current Welfare Committee Co-Chair and past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy and others.

Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.

As part of these involvements, Ms. Stamer is scheduled to moderate the discussion of “Department of Labor Health Plan Compliance and Enforcement Update” with Amber M. Rivers, Director of the Employee Benefit Security Administration Office of Health Plan Standards and Compliance that the ABA Joint Committee on Employee Benefits is hosting on May 5, 2022. For additional information about or to register for this program, see here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com including the following:

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions  Law Press, Inc.™   For information about republication, please contact the author directly.  All other rights reserved.