Report on Patient Privacy 21, no. 12 (December, 2021)

Amid the letters of congratulations to new HHS Office for Civil Rights (OCR) Director Lisa Pino is a plea from the American Hospital Association (AHA): “victims” of escalating health care attacks need OCR to quickly identify security practices as required under a law enacted in January.

“Absent the implementation of this law, there may be continued reluctance by health care victims of cyber attacks to cooperate with law enforcement, due to a fear of regulatory repercussions,” AHA Executive Vice President Stacey Hughes recently wrote to Pino.^[1]

In the waning days of the 2020 session, Congress passed a law giving OCR the ability to lessen penalties for security rule violations if the covered entity (CE) or business associate (BA) could prove that, in the prior year, it had “recognized security practices in place.”^[2] Although the law does not require it, OCR officials signaled this spring they would be engaging in rulemaking to implement the law.^[3]

Nearly a year after H.R. 7898 was signed into law by then-President Trump, there’s no sign of any related rules, and, based on how OCR is planning to move forward, it will be some time before a rule emerges. However, in response to questions from RPP, an agency spokesperson said the law “was effective upon enactment” and that the agency “has implemented the requirements of H.R. 7898 into the HIPAA Enforcement Program.”

AHA Presses OCR on Rule

The law seeks to provide a safe harbor of sorts to CEs and BAs that adopt “recognized security practices” but then later are accused of violating the security rule or are subject to an audit.

The CE or BA will have to “adequately demonstrate” to OCR that it had such practices in place “for not less than the previous 12 months.” If so, the law allows OCR to decrease the length and extent of an audit, such as closing an audit early with a “favorable termination.” In addition, fines and other “remedies in any agreement with respect to resolving potential violations of the HIPAA Security rule” could be mitigated.

These practices are not spelled out in the law, and it allows CEs and BAs to determine those they want to employ. However, the law refers to recognized practices as those developed by the National Institute of Standards and Technology, “the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

The government’s compendium of planned rules, the Unified Agenda and Regulatory Plan, is usually published twice a year—in spring and fall. To date, the Biden administration hasn’t published the fall agenda; the spring version appeared on June 11.^[4]

According to the spring agenda, OCR plans to issue a request for information (RFI), or what is also called a prerule, before it publishes a notice of proposed rulemaking (NPRM), which would then be followed by a final rule and an effective date into the future. The prerule and proposed rule would both include comment periods, which, while helping to inform federal officials, also lengthen the rulemaking process.

It may also take OCR longer than usual to issue the RFI because it has taken something of a kitchen-sink approach, including several decades-old requirements that are not related to the law at issue.

RFI May Address Multiple Issues

According to the entry in the Unified Agenda, the RFI “would solicit the public’s views on establishing a methodology for the distribution of CMPs and monetary settlements to those harmed by an offense under the HIPAA Rules relating to privacy or security.” This rule has been on OCR’s agenda since passage of the HITECH Act in 2009.

Additionally, the RFI “would seek additional comment on modifying the HIPAA Privacy Rule as necessary to implement the accounting of disclosures provisions of the HITECH Act, sec. 13405(c). OCR plans to withdraw the Accounting of Disclosures NPRM that was issued in 2011 when a new NPRM on accounting of disclosures is issued.”

The entry in the unified agenda notes that OCR is under no “statutory deadline” for implementing the law and that it “does not require rulemaking.”

AHA said OCR should skip the RFI or prerule stage, and hurry things along. Providers today are working amid cyber threats that “continue to grow in volume, severity and sophistication,” according to the letter.

“Given the continued wave of cyber and ransomware attacks targeting health care, along with this law’s importance as a means to incentivize increased adoption of recognized cybersecurity practices and cooperation with the government, we urge OCR to quickly initiate full notice and comment rulemaking, rather than embark on a pre-rulemaking phase as listed in the current version of the Unified Regulatory Agenda,” Hughes wrote.

OCR: No Timeline for Rule-Making

Hospitals responded to the pandemic and COVID-19 patients by “rapidly” implementing what AHA called “network-connected and remote technologies,” but “this created a vastly expanded attack surface upon which international cyber criminals and foreign spies can leverage against hospitals, health systems and patients,” it said.

Health systems and hospitals, already under stress from COVID-19, “suffered a dramatic increase in cyber attacks. Most concerning, there has been a significant increase in high-impact, regionally disruptive ransomware attacks, which have interfered with care delivery and placed patient safety at risk,” Hughes continued in the letter.

Implementation is necessary amid the “continued wave of cyber and ransomware attacks targeting health care,” and it also would “incentivize increased adoption of recognized cybersecurity practices and cooperation with the government,” according to AHA.

In a statement provided to RPP, an OCR spokesperson said the agency is already taking advantage of the provisions of the law, which amends the HITECH Act retroactive to Dec. 13, 2016, the effective date of the 21^st Century Cures Act.

The agency “appreciates the thoughtful letter” from AHA, the spokesperson said. “We agree that the ongoing wave of cyber and ransomware attacks targeting health care has underscored the need for increased adoption of recognized cybersecurity practices and cooperation with the government to improve the security posture of the health care industry.”

1 Stacey Hughes, “AHA Urges OCR to Expedite Regulatory Relief For Certain Cybersecurity Practices,” American Hospital Association, letter to Lisa J. Pino, November 15, 2021, https://bit.ly/31nAG0f.
2 Theresa Defino, “Congress Gives Organizations a Break on HIPAA Fines,” Report on Patient Privacy 21, no. 1 (January 2021), https://bit.ly/3rSr1Gq.
3 Theresa Defino, “OCR Weighing Options After MD Anderson Loss, Writing Rules for ‘Safe Harbor’ Law,” Report on Patient Privacy 21, no. 4 (April 2021), https://bit.ly/31qu5C6.
4 U.S. Department of Health & Human Services, Office for Civil Rights, “HIPAA Rules: Request for Information on Sharing Civil Money Penalties or Monetary Settlements With Harmed Individuals, and Recognized Security Practices Under HITECH,” RIN: 0945-AA04, Spring 2021, https://bit.ly/31rndVv,

[View source.]