Department of Health and Human Services Seeks Input on HIPAA “Safe Harbor”

Igor Gorlach
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On April 6, 2022, the Department of Health and Human Services Office for Civil Rights (OCR) issued a Request for Information (RFI) to solicit public comments on the implementation of the “safe harbor” under the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (collectively, HIPAA). The safe harbor, enacted in January 2021 and codified at 42 U.S.C. § 17941, requires OCR, when making determinations regarding fines, audits, and remedies to resolve potential violations of the HIPAA Security Rule, to consider “recognized security practices” that HIPAA covered entities and business associates “adequately demonstrate” were in place for the preceding 12 months.

The RFI solicits comments on how covered entities and business associates understand and are implementing recognized security practices, how they anticipate adequately demonstrating security practices are in place, and other implementation issues they are considering or would like OCR to clarify for the public.

The statute states that the term “recognized security practices” means:

  • the standards, guidelines, best practices, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act;

  • the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015; and

  • other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.

While the statute creates considerations for the mitigation of fines, audits, and remedies, it does not require covered entities and business associates to implement recognized security practices nor does it provide criteria to use when selecting which category of recognized security practices to implement. However, the recognized security practices must be consistent with the HIPAA Security Rule requirements. Covered entities and business associates can use the RFI as an opportunity to argue that certain security practices (e.g., HITRUST certification and SOC 2 Type II attestations) should be deemed sufficient to meet the “recognized security practices” definition when such practices are combined with compliance with the HIPAA Security Rule.

Additionally, in the RFI, the OCR notes that it expects “adequate demonstration” by covered entities and business associates to include the implementation and not merely adoption of the practices. Entities are encouraged to submit comments on that position and may, for example, seek clarifications on the difference between “adoption” and “implementation,” and on the achievement of “implementation” of security practices through a vendor.

The RFI is available on the Federal Register website at 87 Fed. Reg. 19833 (Apr. 6, 2022). Comments must be submitted by June 6, 2022.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide