HIPAA RFI Opens Door to HIPAA ‘Class Actions’ and Security Rule Changes

OCR issued the RFI seeking input on two primary issues – (1) to determine what should constitute “recognized security practices” under the Health Information Technology for Economic and Clinical Health Act (HITECH); and (2) to determine what type of harm individuals should be compensated for when they are part of a HIPAA violation, and the methodology for determining the amount of compensation.

First, OCR acknowledged that HITECH requires HHS to consider the “recognized security practices” that covered entities and business associates have employed (for at least 12 months) when determining the amount of fines for a HIPAA violation. As HITECH did not expressly require rulemaking, there has been confusion and misunderstanding as to the application of the “recognized security practices” framework. By way of example, HITECH fails to specify what action initiates the beginning of the 12-month period for the adoption of “recognized security practices.” In an effort to provide guidance to stakeholders on the application of the “recognized security practices” rule, OCR issued the RFI to solicit comments as to the types of security practices that are industry standard and commonly considered to appropriately address cybersecurity risks.

Second, the RFI noted that HITECH requires OCR to distribute a percentage of any civil monetary penalty (CMP) or monetary settlement collected under Subtitle D of HITECH or Section 1176 of the Social Security Act to the individual harmed by the noncompliance at issue. However, HITECH fails to define “harm” and fails to provide any guidance as to the type of “harm” that should be compensable under HITECH. Further, OCR noted that HITECH provides no indication as to the percentage of the penalty that should be distributed, nor does it provide a methodology to determine such an amount. Accordingly, OCR submitted this RFI to solicit comments as to what types of harm should be compensable under HITECH and which methodology OCR should utilize to determine the appropriate amount of the penalty to share with the harmed individual.

Recognized Security Practices

Congress enacted HITECH in 2009. HITECH expanded HIPAA’s Enforcement and Breach Notification Rules, and increased the fines that covered entities and business associates could face.  Since HITECH was implemented, OCR has increasingly audited providers and levied numerous penalties, including multi-million-dollar fines. Post-HITECH, HIPAA was no longer a paper tiger.

Notably, HITECH was amended in 2021 to require OCR to consider, when determining the amount of fines to administer for HIPAA violations, whether the covered entity/business associate had implemented certain “recognized security practices” at least 12 months prior to the violation. If the entity has numerous “recognized security practices” in place to protect against HIPAA violations, then OCR should consider this information, and administer a lower fine.

Though part of the HITECH statutory language, the “recognized security practices” framework has never been discussed by OCR in the Federal Register, FAQs, or other OCR guidance. This RFI changes that, presenting a learning opportunity for regulated entities and providing the beginning of a defensive framework for healthcare attorneys representing regulated entities in OCR enforcement and auditing activities.

RFI

As noted in the RFI, one of the primary goals of the HIPAA Security Rule is to encourage regulated entities to take action to ensure that they have done everything in their power to safeguard patient data. In connection with this goal, as noted above HITECH was amended in 2021 to define “recognized security practices” as one of several types of practices, including:

• Standards, guidelines, best practices, methodologies, procedures, and processes developed under Section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act;
• Practices promulgated under Section 405(d) of the Cybersecurity Act of 2015; and
• Other programs and processes addressing cybersecurity that have been developed, recognized, or promulgated through other regulations.

The RFI clarifies OCR’s stance that it is insufficient for a regulated entity to merely establish and document the initial adoption of recognized security practices. Rather, OCR requires the entity to be able to demonstrate that the recognized security practices have been fully implemented (i.e., are actively and consistently in use) for OCR to consider such practices when making determinations related to penalties, audits, or other remedies.

The RFI further provides that HITECH fails to provide any criteria for covered entities or business associates to rely on when determining what types of recognized security practices they should implement. HITECH also fails to provide guidance as to when the beginning of the 12-month look back period for recognized security practices begins. As such, OCR is seeking comment on how covered entities and business associates currently understand and are implementing “recognized security practices.”

OCR has also solicited comments on several specific questions related to “recognized security practices,” including:

1. What recognized security practices have regulated entities implemented;
2. Which standards, guidelines, best practices, methodologies, procedures, and processes under the NIST, Cybersecurity Act of 2015, or other program do regulated entities rely on when implementing recognized security practices;
3. What steps do regulated entities take to ensure that recognized security practices are “in place;”
4. What steps do regulated entities take to ensure that their recognized security practices are actively and consistently in use continuously over a 12-month period;
5. What other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities do regulated entities rely on when establishing and implementing recognized security practices; and
6. What constitutes implementation throughout the enterprise (e.g., servers, workstations, mobile devices, medical devices, apps, application programming interfaces (APIs))?

The RFI indicates this information could be utilized by HHS to develop future guidance and/or rules for implementing recognized security practices.

Security Rule Implications

HIPAA’s Security Rule is generally not proscriptive and offers extreme flexibility – though some implementation specifications are “required,” most are “addressable.” HIPAA’s Security Rule also largely eschews mandating strict technological standards. Notoriously, for example, encryption is not technically required under the HIPAA Security Rule; however, encryption is considered an industry standard for all covered entities and business associates, and encryption provides an important “exemption” to HIPAA’s Breach Notification Rule. Healthcare attorneys know that, de facto, if there is a breach and there is no encryption (like the classic lost laptop example), OCR will be heavy handed in its response.

Likewise, HITECH does not require covered entities or business associates to implement “recognized security practices” – rather, it provides covered entities and business associates with a potential tool to mitigate the amount of fines imposed due to HIPAA violations. But, much like “encryption,” the “recognized security practices” established under the RFI’s future rulemaking have the potential to provide focused standards that can assist with baseline HIPAA compliance.

Under the RFI, OCR is already providing guidance on more concrete security standards for covered entities and business associates to consider in their HIPAA Security Rule compliance. It is likely that, if the RFI leads to more prescriptive standards as to what is a “recognized security practice” (i.e., fine mitigator), the industry will rush to implement these “fine mitigation” standards into Security Rule compliance.

Defensive Opportunities

OCR’s RFI on “recognized security practices” under HITECH is a largely good step for the industry overall. The information elicited under the RFI, and codified in future Federal Register commentary and rulemaking, could aid in developing clearly defined security measures for covered entities and business associates.

Moreover, even before formal rulemaking, the RFI can operate as a “checklist” to assist attorneys in responding to/defending against OCR HIPAA breach investigations, hopefully helping mitigate the risks of fines for HIPAA violations. Covered entities and business associates involved in OCR investigations should:

• Document and show OCR all security practices that have been adopted to mitigate the risk of HIPAA violations;
• Show documentation that the security practices have been in place for at least 12 months prior to the HIPAA violation; and
• Remind the OCR investigator of the HITECH requirements for OCR to consider any “recognized security practices” when determining the amount of fines to administer.

The RFI contains considerable details on the nuts and bolts of crafting these arguments defensively.

Compensating Individuals Harmed by HIPAA Violations

HIPAA itself has no private cause of action. However, the HITECH statute contained a provision specifying that when an “individual is harmed by” a “privacy or security rule violation, and OCR levies CMP, then “the Secretary shall establish by regulation and based on [GAO] recommendations… a methodology under which [the] individual… may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.” Essentially, OCR was required to develop a methodology to share a percentage of proceeds from fines/settlements with harmed individuals.

Under the RFI, OCR is now considering implementing a methodology for individuals harmed by HIPAA violations to be compensated for such harm. Like the “recognized security practices” framework under HITECH, this provision of the HITECH statute has been dormant for more than a decade.

What is Harm?

The RFI begins by noting that the HITECH statute failed to define what constitutes “harm” against an individual. Previously, HHS amended HIPAA’s Enforcement Rule to identify four types of harm that OCR may consider as aggravating factors in assessing a covered entity’s or business associate’s CMP or proposed settlement amount, including: (i) physical harm; (ii) financial harm; (iii) reputational harm; and (iv) harms that hinder one’s ability to obtain healthcare. Under the RFI, OCR is requesting information as to what types of harm should be compensable for HIPAA violations, and the appropriate methodology that should be adopted to facilitate the monetary awards.

OCR is also seeking comment on:

1. Whether there are any circumstances in which harm should be presumed;
2. Whether harm should include the release of information about a person other than the individual that is the subject of the information (e.g., a family member whose information was included as part of a patient’s family health history);
3. Whether OCR should implement a minimum or maximum limit for the total amount of any penalty a harmed individual may be compensated for;
4. What constitutes compensable harm with respect to violations of the HIPAA rules;
5. Should compensable harm be limited to past harm;
6. Should only economic harm be considered;
7. Should harm be limited to the types of harm identified as aggravating factors in assessing CMPs (physical, financial, reputational, and ability to obtain healthcare);
8. Should harm be expanded to include additional types of noneconomic harms such as emotional harm;
9. How should harmed individuals be identified? How should they be notified? What if they are deceased? What if they cannot be located? Within what timeframe after a settlement agreement or imposition of a CMP should individuals submit claims to be eligible for disbursement; and
10. What methodologies should OCR consider for sharing and distributing monies to harmed individuals? Should there be a minimum or maximum amount or percentage? Should there be an appeals process?

Potential Compensation Models

In its RFI, OCR discusses several potential compensation models that it is considering implementing to compensate individuals harmed by HIPAA violations – (i) the Individualized Determination Model, (ii) the Fixed Recovery Model, and (iii) the Hybrid Model. Each model varies in its methodology for determining the amount of compensation to provide to the harmed individuals. OCR issued the RFI to solicit comments on which compensation model stakeholders believed would work best or for other relevant compensation model examples. OCR is also seeking comments on other aspects of the compensation model, including: (i) whether the distribution model should recognize and account for in-kind benefits; (ii) whether the compensation model should ensure that all harmed individuals receive compensation; (iii) should individuals have the right to appeal a decision not to disburse funds; (iv) should there be a timeframe for individuals to submit claims; (v) should there be a timeliness requirement for claims; (vi) should there be a cap on the total percentage amount an individual may collect; and (vii) should the distribution methodology take into consideration any potential or actual compensation the harmed individual receives from an outside source.

OCR based the Individualized Determination Model on the private civil claims model. Under this model, the harmed individual would bear the burden of proving: (1) that the individual suffered harm by the HIPAA violation, (2) the extent of the harm incurred for damages, and (3) that the defendant was liable for such harm. Ultimately, this model demands the plaintiff/harmed individual provide sufficient evidence to support a monetary award against the defendant, with the amount being determined by the extent of harm incurred by the plaintiff and the defendant’s liability for said breach. Further, due to the nature of this model (being based on the private civil claims model), each case would need to be heard by a “jury” to determine the amount of any monetary awards. As an example, OCR refers to the Consumer Financial Protection Bureau (CFPB) which uses an individual assessment model to distribute monetary awards for certain economic harms. Under the CFPB model, individuals are provided compensation in one of several ways: (1) the victim’s share of an ordered redress amount; (2) if no ordered redress amount, then a harm formulation contained in the underlying final order; or (3) if no ordered redress or harm formulation, then the victim’s out-of-pocket losses to the extent they are readily determinable.

Alternatively, OCR is considering the Fixed Recovery Model, which awards victims with a fixed amount or an amount calculated by a fixed formula. OCR refers to the Black Lung Benefits Act (BLBA) as an example of such model. Under the BLBA model, an individual receives a fixed formula award only upon providing medical documentation demonstrating the individual’s medical condition. The amount of the award is based upon a statutory formula, which may be reduced when compensation for the same ailment is received from other sources (e.g., workers’ compensation). Recovery under the BLBA model does not consider the victim’s economic or non-economic harm.

The final model OCR is considering is the Hybrid Model, which combines elements of both prior models. OCR provides that the Hybrid Model may be useful to reflect uncertainty as to the types of harm that can be demonstrated with evidence (e.g., economic and non-economic harm). As an example of such model, OCR refers to the Privacy Act of 1974. The Privacy Act of 1974 provides a private right of action for the unlawful disclosure of an individual’s records in a willful or intentional manner. The Privacy Act sets a low-end bar at $1,000 for a monetary award under the Act, even when evidence of quantifiable harm is less than $1,000. When the plaintiff can provide evidence of quantifiable harm greater than $1,000, the plaintiff may recover the full amount of actual damages. Essentially, the Hybrid Model provides a fixed amount of recovery with the potential for increased monetary awards based on evidence of quantifiable harm.

Lastly, OCR noted in the RFI that while HIPAA does not provide a private right of action, it does not preclude such remedies under state or other law. In fact, every state’s tort law system provides a means for individuals to seek redress when they are harmed by a negligent breach of duty. However, some states have laws that specifically address the unauthorized disclosures of medical information. By way of example, California permits individuals to seek nominal damages of $1,000 for the negligent disclosure of their medical information without showing any evidence of suffering. Likewise, New York permits individuals to seek civil penalties of up to $2,000 for violations of its health privacy law, and up to $10,000 if the violation directly resulted in a serious physical harm to the patient.

Implications/Potential for Mini-Class Actions

OCR’s re-ignition of HITECH’s dormant “sharing” requirement portends a troubling future for regulated entities. The frameworks being considered under the RFI, and the content of the RFI itself, make it clear that OCR could radically change the HIPAA-enforcement landscape. The RFI's progeny could essentially spawn an OCR-administered “mini-class action” framework for HIPAA harms. While there is no private cause of action under HIPAA, this right to compensation, coupled with any appeal rights provided to harmed individuals, could result in pseudo class actions against covered entities and business associates. Accordingly, covered entities and business associates should be keenly attuned to this RFI and future OCR rulemaking. Based upon the detailed questions in the RFI, OCR appears to be far along in its development of this compensable harm policy.

While this shift may not develop a private cause of action in the strictest sense of the term, these models may be better for potential whistleblowers (and their attorneys). Individuals, especially collectively, would be incentivized to notify and pressure OCR on even the most insignificant HIPAA breaches, in light of the chance to receive a monetary award. This would be potentially exacerbated if the Fixed Recovery Model or Hybrid Model are adopted, as the individual could be awarded some fixed amount award for even an insignificant violation that resulted in little to no exposure or harm to the individual’s personally identifiable information. The Individualized Determination Model would require more evidence than the other models, but depending on how OCR implements the potential model, could still open the door to significant whistleblowing under HITECH.

OCR would need to adhere to the “recognized security practices” framework when determining the total amount of CMP to be collected. And, in any case, the total amount of the CMP (including the portion shared with the harmed individual) may not exceed the statutory maximums set by HITECH. However, HITECH dramatically raised the minimum and maximum CMP penalty amounts that OCR can levy (as adjusted for inflation), and the maximum penalty amount sets no total cap on total penalties, but rather sets a maximum penalty for identical violations. Penalties can increase significantly if the covered entity or business associate has multiple different penalties/violations. 

All of the foregoing would, obviously, lead to increased costs in responding to HIPAA breaches, HIPAA violations, and doing business in the healthcare industry.

Conclusion

OCR’s RFI foreshadows radical changes in how covered entities and business associates comply with HIPAA’s Security Rule, and how HIPAA is enforced/prosecuted. Stay tuned and stay involved. Covered entities, business associates, and other stakeholders would be well advised to monitor any developments arising from this RFI. Again, comments on the RFI are due by June 6, 2022. Stakeholders should consider submitting comments to OCR, and the ABA Health Law Section is working on comments as well (contact [email protected] if you have any issues you think should be raised).