Proposed Rule2022-07210
Considerations for Implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act, as Amended
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
April 6, 2022
Issuing agencies
Health and Human Services Department
Abstract
The Office for Civil Rights (OCR) at the United States Department of Health and Human Services (HHS or the Department) is issuing this Request for Information (RFI) to solicit public comment on certain provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, namely: The consideration of recognized security practices of covered entities and business associates when OCR makes determinations regarding fines, audits, and remedies to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule; and the distribution to harmed individuals of a percentage of civil money penalties (CMPs) or monetary settlements collected pursuant to the HITECH Act, which requires the Secretary of HHS (Secretary) to establish by regulation, and based upon recommendations from the Government Accountability Office (GAO), a methodology under which an individual who is harmed by an act that constitutes an offense under certain provisions of the HITECH Act or the Social Security Act relating to privacy or security may receive a percentage of any CMP or monetary settlement collected by OCR with respect to such offense.
Full Text
<html>
<head>
<title>Federal Register, Volume 87 Issue 66 (Wednesday, April 6, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 66 (Wednesday, April 6, 2022)]
[Proposed Rules]
[Pages 19833-19839]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-07210]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Part 164
RIN 0945-AA04
Considerations for Implementing the Health Information Technology
for Economic and Clinical Health (HITECH) Act, as Amended
AGENCY: Office for Civil Rights, Office of the Secretary, Department of
Health and Human Services.
ACTION: Request for Information.
-----------------------------------------------------------------------
SUMMARY: The Office for Civil Rights (OCR) at the United States
Department of Health and Human Services (HHS or the Department) is
issuing this Request for Information (RFI) to solicit public comment on
certain provisions of the Health Information Technology for Economic
and Clinical Health (HITECH) Act, namely: The consideration of
recognized security practices of covered entities and business
associates when OCR makes determinations regarding fines, audits, and
remedies to resolve potential violations of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Security Rule; and
the distribution to harmed individuals of a percentage of civil money
penalties (CMPs) or monetary settlements collected pursuant to the
HITECH Act, which requires the Secretary of HHS (Secretary) to
establish by regulation, and based upon recommendations from the
Government Accountability Office (GAO), a methodology under which an
individual who is harmed by an act that constitutes an offense under
certain provisions of the HITECH Act or the Social Security Act
relating to privacy or security may receive a percentage of any CMP or
monetary settlement collected by OCR with respect to such offense.
DATES: Comments must be submitted on or before June 6, 2022.
ADDRESSES: Written comments may be submitted through any of the methods
specified below. Please do not submit duplicate comments.
<bullet> Federal eRulemaking Portal: You may submit electronic
comments at <a href="https://www.regulations.gov">https://www.regulations.gov</a> by searching for the Docket ID
number HHS-OCR-0945-AA04. Follow the instructions for submitting
electronic comments. Attachments should be in Microsoft Word or
Portable Document Format (PDF).
<bullet> Regular, Express, or Overnight Mail: You may mail comments
to U.S. Department of Health and Human Services, Office for Civil
Rights, Attention: HITECH Act Recognized Security Practices Request for
Information, RIN 0945-AA04, Hubert H. Humphrey Building, Room 509F, 200
Independence Avenue SW, Washington, DC 20201.
All comments received by the methods and due date specified above
may be posted without change to content to <a href="https://www.regulations.gov">https://www.regulations.gov</a>,
which may include personal information provided about the commenter,
and such posting may occur after the closing of the comment period.
However, the Department may redact certain non-substantive content from
comments before posting, including threats, hate speech, profanity,
graphic images, or individually identifiable information about a third-
party individual other than the commenter. In addition, comments or
material designated as confidential or not to be disclosed to the
public will not be accepted. Comments may be redacted or rejected as
described above without notice to the commenter, and the Department
will not consider in rulemaking any redacted or rejected content that
would not be made available to the public as part of the administrative
record. Commenters providing information regarding their organizations'
implementation of recognized security practices should not include
details that, if disclosed to the public, may put the security of the
organizations' information systems at risk.
Because of the large number of public comments normally received on
Federal Register documents, OCR is not able to provide individual
acknowledgments of receipt.
Please allow sufficient time for mailed comments to be received
timely in the event of delivery or security delays.
Please note that comments submitted by fax or email and those
submitted after the comment period will not be accepted.
Docket: For complete access to background documents or posted
comments, go to <a href="https://www.regulations.gov">https://www.regulations.gov</a> and search for Docket ID
number HHS-OCR-0945-AA04.
FOR FURTHER INFORMATION CONTACT: Lester Coffer at (800) 368-1019 or
(800) 537-7697 (TDD).
SUPPLEMENTARY INFORMATION: OCR, which administers and enforces the
HIPAA Privacy, Security, Breach Notification, and Enforcement Rules
(HIPAA Rules), is issuing this RFI to improve its understanding of how
covered entities and business associates (regulated entities) are
voluntarily implementing recognized security practices as defined in
Public Law 116-321, which added Section 13412 to the HITECH Act. The
information received in public comments will help OCR determine what
potential information or clarifications it needs to provide, through
future guidance or rulemaking, to help regulated entities understand
the application of the new law. This RFI also seeks public input on
issues relating to the distribution of a percentage of CMPs or monetary
settlements to individuals who are harmed by acts that constitute
offenses under subtitle D of the HITECH Act or Section 1176 of the
Social Security Act relating to privacy or security, as required by
Section 13410(c)(3) of the HITECH Act. Among the issues on which OCR
seeks public input are how to define compensable individual harm
resulting from a violation of the HIPAA Rules and the appropriate
distribution of payments to harmed individuals. OCR will use the
information received in public comments to inform the development of
future distribution methodology and policies.
[[Page 19834]]
I. Background
This RFI seeks public comment on how covered entities and business
associates are voluntarily implementing recognized security practices
as identified in Public Law 116-321,\1\ and public input on potential
information or clarifications OCR could provide on its implementation
of the statute in future guidance or rulemaking. This RFI also seeks
public comment on recommended methodologies for sharing CMPs or
monetary settlements with harmed individuals as required by section
13410(c)(3) of the HITECH Act.\2\
---------------------------------------------------------------------------
\1\ See Section 1 of Public Law 116-321, 134 Stat. 5072 (January
5, 2021).
\2\ The HITECH Act, enacted on February 17, 2009, as title XIII
of division A and title IV of division B of the American Recovery
and Reinvestment Act of 2009 (ARRA), Public Law 111-5, modifies
certain provisions of the Social Security Act pertaining to the
HIPAA regulations, 45 CFR parts 160 and 164.
---------------------------------------------------------------------------
A. Public Law 116-321 (Section 13412 of the HITECH Act, as Amended)
Public Law 116-321, which adds section 13412 to Part 1 of subtitle
D of the HITECH Act,\3\ requires the Secretary to consider ``recognized
security practices'' that HIPAA covered entities and business
associates adequately demonstrate were in place for the previous 12
months when making determinations regarding fines (herein,
``penalties'') under section 1176 of the Social Security Act (as
amended by section 13410 of the HITECH Act),\4\ audits, and remedies to
resolve potential violations of the HIPAA Security Rule \5\ (Security
Rule).\6\ The statute does not expressly require rulemaking; however,
the Department is seeking comment to inform potential future guidance
or rulemaking that may help stakeholders better understand the
application of the statute.
---------------------------------------------------------------------------
\3\ See 42 U.S.C. 17931 et seq.
\4\ This RFI uses the terms ``civil money penalty'' or
``penalty'' in place of ``fine'' for consistency with section 1176
of the Social Security Act and the Enforcement Rule. See generally
42 U.S.C. 1320d-5 and 45 CFR part 160, subparts C, D, and E.
\5\ 45 CFR part 164, subparts A and C. The HIPAA Security Rule
establishes national standards to protect individuals' electronic
protected health information (ePHI) that is created, received,
maintained, or transmitted by a regulated entity. The Security Rule
requires appropriate administrative, physical, and technical
safeguards to ensure the confidentiality, integrity, and
availability of ePHI.
\6\ Remedies agreed to by the covered entity or business
associate and the Secretary generally consist of a signed resolution
agreement that includes payment of a settlement amount, and a
corrective action plan. See <a href="https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html">https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html</a>.
---------------------------------------------------------------------------
This RFI solicits comment on how covered entities and business
associates understand and are implementing ``recognized security
practices,'' how they anticipate adequately demonstrating that
recognized security practices are in place, and other implementation
issues they are considering or would like OCR to clarify for the public
and stakeholders through potential guidance or rulemaking.
1. Recognized Security Practices
Public Law 116-321 defines ``recognized security practices'' as:
<bullet> The standards, guidelines, best practices, methodologies,
procedures, and processes developed under section 2(c)(15) of the
National Institute of Standards and Technology (NIST) Act;
<bullet> the approaches promulgated under section 405(d) of the
Cybersecurity Act of 2015; and
<bullet> other programs and processes that address cybersecurity
and that are developed, recognized, or promulgated through regulations
under other statutory authorities.\7\
---------------------------------------------------------------------------
\7\ See section 13412(b)(1) of the HITECH Act, 42 U.S.C.
17941(b)(1).
---------------------------------------------------------------------------
The statute does not require covered entities and business
associates to implement recognized security practices,\8\ nor does it
provide criteria for covered entities or business associates to use
when selecting which category of recognized security practices to
implement (i.e., developed under section 2(c)(15) of the NIST Act;
promulgated under section 405(d) of the Cybersecurity Act of 2015; or
other programs that address cybersecurity developed, recognized, or
promulgated through regulations under other statutory authorities).
However, the statute does require that recognized security practices
must be consistent with Security Rule requirements.\9\
---------------------------------------------------------------------------
\8\ See section 13412(b)(3) of the HITECH Act, 42 U.S.C.
17941(b)(3).
\9\ See section 13412(b)(1) of the HITECH Act, 42 U.S.C.
17941(b)(1).
---------------------------------------------------------------------------
2. Adequately Demonstrate
Cybersecurity threats are a significant concern driving the need to
safeguard electronic protected health information (ePHI) as required by
the Security Rule. One of the primary goals of Public Law 116-321 is to
encourage covered entities and business associates to do ``everything
in their power to safeguard patient data.'' \10\ To achieve this goal,
Congress sought to ``[incentivize] healthcare entities to adopt strong
cybersecurity practices by encouraging the Secretary of HHS to consider
entities' adoption of recognized cybersecurity practices when
conducting audits or administering HIPAA fines.'' \11\ Thus, the
statute requires OCR to take into consideration in certain Security
Rule enforcement and audit activities whether a covered entity or
business associate has adequately demonstrated that recognized security
practices were ``in place'' for the prior 12 months.
---------------------------------------------------------------------------
\10\ Representative Pallone (NJ), ``Requiring Secretary of
Health and Human Services to Consider Certain Recognized Security
Practices,'' Congressional Record 166:208 (December 9, 2020), p.
H7089, available at <a href="https://www.congress.gov/congressional-record/2020/12/9/house-section/article/h7088-1">https://www.congress.gov/congressional-record/2020/12/9/house-section/article/h7088-1</a>.
\11\ Id.
---------------------------------------------------------------------------
OCR believes that the phrase ``had . . . [recognized security
practices] in place,'' as used in Public Law 116-321,\12\ is equivalent
to the term ``implement[ed]'' as used and clarified in the Security
Rule.\13\ Therefore, it is insufficient for a regulated entity to
merely establish and document the initial adoption of recognized
security practices. For OCR to consider such practices when making
determinations relating to penalties, audits, or other remedies, the
entity must also demonstrate that the practices are fully implemented,
meaning that the practices are actively and consistently in use by the
covered entity or business associate over the relevant period of time.
---------------------------------------------------------------------------
\12\ See section 13412(a) of the HITECH Act, 42 U.S.C. 17941(a).
\13\ ``We use the term `implement' to clarify that the
procedures must be in use, and we believe that the requirement to
implement policies and procedures requires, as an antecedent
condition, the establishment or adaptation of those policies and
procedures.'' Health Insurance Reform: Security Standards; Final
Rule. 68 FR 8334, 8349 (February 20, 2003).
---------------------------------------------------------------------------
3. The Previous 12 Months
The statute requires OCR, ``when making determinations relating to
fines under such section 1176 (as amended by section 13410) or such
section 1177, decreasing the length and extent of an audit under
section 13411, or remedies otherwise agreed to by the Secretary,'' to
consider whether the covered entity or business associate has
adequately demonstrated that the recognized security practices were in
place for a period of ``not less than the previous 12 months.'' The
statute does not state what action initiates the beginning of the 12-
month look back period.
B. Section 13410(c)(3) of the HITECH Act
Section 13410(c)(1) of the HITECH Act \14\ requires that any CMP or
monetary settlement collected with respect to an offense punishable
under subtitle D of the HITECH Act \15\ or section 1176 of the Social
Security
[[Page 19835]]
Act,\16\ insofar as such section relates to privacy or security, be
transferred to OCR for the purpose of enforcing the provisions of
subtitle D of the HITECH Act and subparts C and E of part 164 of title
45, Code of Federal Regulations.
---------------------------------------------------------------------------
\14\ See 42 U.S.C. 17939(c)(1).
\15\ See 42 U.S.C. Chapter 156, Subchapter III.
\16\ See 42 U.S.C. 1320d-5.
---------------------------------------------------------------------------
Section 13410(c)(3) of the HITECH Act requires the Secretary to
establish a methodology for the distribution of a percentage of a CMP
or monetary settlement amount collected for noncompliance with the
HIPAA Rules to an individual harmed by the noncompliance.\17\
---------------------------------------------------------------------------
\17\ See 42 U.S.C. 17939(c)(3).
---------------------------------------------------------------------------
Section 13410(d) of the HITECH Act modified section 1176(a)(1) of
the Social Security Act to require that OCR base determinations of
appropriate penalty amounts on the nature and extent of the violation
and the nature and extent of the harm resulting from such
violation.\18\ The statute does not define ``harm,'' nor does it
provide direction to aid HHS in defining the term.
---------------------------------------------------------------------------
\18\ See 42 U.S.C. 17939(d).
---------------------------------------------------------------------------
As part of its implementation of Section 13410(d) of the HITECH
Act,\19\ HHS amended the Enforcement Rule to identify four types of
harm that OCR may consider as aggravating factors in assessing a
covered entity's or business associate's CMP or proposed settlement
amount: (1) Physical harm, (2) financial harm, (3) reputational harm,
and (4) harms that hinder one's ability to obtain health
care.<SUP>20 21</SUP> In addition, HHS made clear in both the
regulatory text and preamble to the final rule that OCR is not limited
to the four enumerated types of harm, stating that ``in determining the
nature and extent of harm involved, we may consider all relevant
factors, not just those expressly included in the text of the
regulation.'' \22\
---------------------------------------------------------------------------
\19\ See generally 78 FR 5566 (January 25, 2013).
\20\ 45 CFR 160.408(b).
\21\ For further discussion of the factors considered by OCR
when determining the amount of a CMP, including the types of harm,
see 71 FR 8390, 8407-09 (February 16, 2006); 75 FR 40868, 40881
(July 14, 2010); and 78 FR 5585.
\22\ 78 FR 5585.
---------------------------------------------------------------------------
This RFI solicits public comment on the types of harms that should
be considered in the distribution of CMPs and monetary settlements to
harmed individuals and the suitability of the described potential
methodologies for sharing and distributing monies to harmed
individuals, and invites the public to submit any alternative
methodologies that are not identified herein. The discussion below
informs commenters about OCR's enforcement of the HIPAA Rules, the
challenges associated with defining harm to individuals, the potential
distribution methodologies GAO recommended for consideration, and other
implementation issues.
1. Background on OCR's Enforcement of the HIPAA Rules
OCR enforces the HIPAA Rules by investigating complaints submitted
to OCR that allege noncompliance with the HIPAA Rules. OCR also
conducts compliance reviews of potential noncompliance brought to OCR's
attention by other means, such as through breach reports to the
Secretary, to determine whether covered entities or business associates
are in compliance with the HIPAA Rules.
OCR resolves the majority of HIPAA cases by providing technical
assistance and/or obtaining voluntary corrective action by the covered
entity or business associate. However, where the nature and scope of
the noncompliance warrants additional enforcement action, OCR may
pursue a resolution agreement and corrective action plan with a payment
of a settlement, or it may impose a CMP.\23\
---------------------------------------------------------------------------
\23\ Information about previously imposed CMPs and resolution
agreements entered into is available at <a href="https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html">https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html</a>.
---------------------------------------------------------------------------
OCR is authorized under Section 13410 of the HITECH Act \24\ to
impose CMPs for violations occurring on or after February 18, 2009,\25\
of:
---------------------------------------------------------------------------
\24\ 42 U.S.C. 1320d-5(a)(3).
\25\ For violations occurring on or after November 3, 2015, the
HITECH Act CMP amounts are adjusted annually pursuant to the Federal
Civil Penalties Inflation Adjustment Act Improvement Act of 2015.
Sec. 701 of Public Law 114-74. The annual inflation amounts are
found at 45 CFR 102.3.
---------------------------------------------------------------------------
<bullet> A minimum of $100 for each violation where the covered
entity or business associate did not know and, by exercising reasonable
diligence, would not have known that the covered entity or business
associate violated such provision, except that the total amount imposed
on the covered entity or business associate for all violations of an
identical requirement or prohibition during a calendar year may not
exceed $25,000.
<bullet> A minimum of $1,000 for each violation due to reasonable
cause and not to willful neglect, except that the total amount imposed
on the covered entity or business associate for all violations of an
identical requirement or prohibition during a calendar year may not
exceed $100,000. Reasonable cause means an act or omission in which a
covered entity or business associate knew, or by exercising reasonable
diligence would have known, that the act or omission violated an
administrative simplification provision, but in which the covered
entity or business associate did not act with willful neglect.
<bullet> A minimum of $10,000 for each violation due to willful
neglect and corrected within 30 days, except that the total amount
imposed on the covered entity or business associate for all violations
of an identical requirement or prohibition during a calendar year may
not exceed $250,000.
<bullet> A minimum of $50,000 for each violation due to willful
neglect and uncorrected within 30 days, except that the total amount
imposed on the covered entity or business associate for all violations
of an identical requirement or prohibition during a calendar year may
not exceed $1,500,000.
The amount of a CMP that OCR pursues may vary based on the date and
number of violations, the culpability of the entity, and the existence
of certain mitigating and aggravating factors in accordance with 45 CFR
160.404, 160.406, and 160.408 and bounded by the calendar year caps
stated above. For example, harm to an individual is an aggravating
factor that may increase the CMP.\26\ OCR may also determine that it is
appropriate to waive a CMP in whole or in part to the extent the
penalty would be excessive relative to the violation, in accordance
with 45 CFR 160.412. In all cases, the total CMP may not exceed the
statutory maximum established in the HITECH Act.\27\
---------------------------------------------------------------------------
\26\ 45 CFR 160.408(b).
\27\ See 45 CFR 160.404; see also 84 FR 18151 (April 30, 2019)
for OCR's Notice of Enforcement Discretion Regarding HIPAA Civil
Money Penalties for information on the annual limits to CMPs that
may be imposed for HIPAA violations.
---------------------------------------------------------------------------
When OCR's investigation indicates noncompliance with the HIPAA
Rules, OCR may attempt to reach a resolution of the matter satisfactory
to the Secretary by informal means.\28\ \29\ Informal means may include
a settlement agreement, also called a resolution agreement (RA). RAs
involve the payment of a monetary amount that is generally less than
the maximum potential CMP for which the covered entity or business
associate could be liable. They also generally include a corrective
action plan that requires the covered entity or business associate to
address remaining compliance issues and to undergo monitoring of its
[[Page 19836]]
compliance with the HIPAA Rules for a specified period of time.
---------------------------------------------------------------------------
\28\ 45 CFR 160.312(a)(1).
\29\ OCR's website lists announcements of resolution agreements
OCR has entered into with covered entities and business associates
for alleged violations of the HIPAA Rules and CMPs OCR has imposed
for violations of the HIPAA Rules. See <a href="https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html">https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html</a>.
---------------------------------------------------------------------------
If the indicated noncompliance is not resolved by informal means,
OCR so informs the covered entity or business associate and provides
them an opportunity to submit written evidence of any mitigating
factors or affirmative defenses for consideration under 45 CFR 160.408
and 160.410.\30\ The covered entity or business associate must submit
any such evidence within 30 days of receipt of such notice. If OCR
finds that a CMP should be imposed, the covered entity or business
associate is informed of the finding in a Notice of Proposed
Determination.
---------------------------------------------------------------------------
\30\ 45 CFR 160.312(a).
---------------------------------------------------------------------------
2. Determining Compensable Harm
As discussed above, the term ``harm'' is not defined by statute,
and the HITECH Act does not provide HHS direction in how to define
harm. Rather, the only qualification is that a relationship exists
between the harm and the act of noncompliance with the HIPAA Rules. The
Enforcement Rule identifies four types of harm as mitigating and
aggravating factors that may be considered in determining the amount of
CMPs--physical, financial, reputational, and ability to obtain health
care--while leaving open the possibility of other types of harm.\31\
\32\ However, the Enforcement Rule does not specifically define each of
those types of harms, and the HITECH Act does not require OCR to apply
those exact same harms to a methodology for distributing a percentage
of CMPs and monetary settlements to harmed individuals. Therefore, OCR
is considering what harms may make an individual eligible to receive
such distributions.
---------------------------------------------------------------------------
\31\ 45 CFR 160.408(b). (``The nature and extent of the harm
resulting from the violation, consideration of which may include but
is not limited to . . . .) (emphasis added).
\32\ OCR is not required to prove that a violation of the HIPAA
Rules has resulted in harm to individuals in order to determine that
the imposition of a CMP is warranted. See 45 CFR 160.312 and 45 CFR
part 160, subpart D.
---------------------------------------------------------------------------
3. Establishing a Methodology
Section 13410(c)(2) of the HITECH Act requires the Comptroller
General to submit to the Secretary recommendations for a methodology
under which an individual who is harmed by noncompliance with the
privacy and security requirements related to PHI may receive a
percentage of any CMP or monetary settlement collected by OCR. The
HITECH Act directs HHS to establish a methodology for sharing CMPs and
monetary settlements ``based on the recommendations submitted'' by the
GAO.\33\ The GAO recommendations do not address how to identify or
define harm; instead, they offer distinct models for HHS to consider in
developing its own methodology.\34\
---------------------------------------------------------------------------
\33\ Section 13410(c)(3) of the HITECH Act, 42 U.S.C.
17939(c)(3).
\34\ See generally Letter to HHS Secretary Kathleen Sebelius
from GAO Acting General Counsel Lynn H. Gibson Recommending Models
for the Distribution of Civil Monetary Penalties (August 9, 2010),
available in the docket for this RFI.
---------------------------------------------------------------------------
In establishing a methodology, OCR must also consider the
limitations on funding available for harmed individuals. Several
factors influence OCR's assessment of this question. First, the HITECH
Act does not guarantee or require that harmed individuals will be made
whole by the sharing of CMPs and monetary settlements, nor does HIPAA
provide a private right of action for an individual to sue a covered
entity or business associate for violating their privacy rights.
However, HIPAA does not preclude such remedies under state or other
law.\35\ Second, OCR is limited by statute in the total amount of a CMP
that it can pursue for each alleged violation of the HIPAA Rules.\36\
Finally, because OCR is not required to pursue an enforcement action to
address every potential violation of the HIPAA Rules, every potential
harm caused by such potential violations cannot necessarily be
redressed.
---------------------------------------------------------------------------
\35\ See 45 CFR 160.418. Further, every state's tort law system
provides individuals a means for seeking redress when they are
harmed by a negligent breach of duty. Such redress may include
addressing potential harms caused by violations of federal or other
privacy laws. Some states have also enacted a private right of
action to allow individuals to recover when they are harmed by the
impermissible sharing of their information. For instance, California
Civil Code Sec. Sec. 56 et seq. permits an individual whose medical
information has been negligently disclosed to seek nominal damages
of $1,000 without proving evidence of suffering. New York Public
Health Law Sec. 12 provides for civil penalties not to exceed
$2,000 for violations of its health privacy law, and up to $10,000
for a violation directly resulting in serious physical harm to a
patient. North Carolina allows an individual to bring a civil action
for damages of up to $5,000 per incident or treble actual damages
for each publication of personal information in violation of the
state's identity theft law. North Carolina also provides an
individual with a private right of action if the individual is
harmed by an entity's failure to report the breach of personally
identifiable information. See N.C. General Statute Sec. Sec. 75-60
et seq., 75-16, 65-65.
\36\ See section 13410(d) of the HITECH Act, 42 U.S.C. 17939(d).
---------------------------------------------------------------------------
GAO recommended three models for consideration: (1) Individualized
determination; (2) fixed recovery; and (3) hybrid. Below is a
description of the potential models and examples that are in use today.
The Individualized Determination Model
The individualized determination model is based on the private
civil action model whereby a plaintiff bears the burden of proof with
respect to both the harm suffered by the plaintiff, including the
nature and extent of the harm, and liability incurred by the defendant.
Evidence concerning the nature and extent of harm supports the
compensation awarded to a plaintiff. In civil actions, juries typically
determine liability and compensation to be awarded based on
instructions from the court regarding considerations when determining
the award. In general, ``translating legally recognized harm into
monetary awards is peculiarly a function of the jury,'' particularly
when assigning value to intangible and noneconomic losses that may not
be readily quantified, such as pain and suffering, loss of reputation,
or emotional distress.\37\
---------------------------------------------------------------------------
\37\ See GAO Letter, supra note 34, at 4.
---------------------------------------------------------------------------
A variation of the individual approach is the civil action known as
a class action, where a group of similarly harmed individuals may
pursue claims for redress of harm together. Class actions occur for
several reasons, such as for judicial economy to avoid multiple
adjudications of the same legal or factual issues or to permit a group
to pursue recovery when it may not be economically feasible to pursue
claims as individuals. While the burdens of proof for harm and
liability that exist for a private civil action remain the same for
plaintiffs, awards are shared among the class of harmed individuals,
often based on a fixed percentage of the total recovery amount.
The Consumer Financial Protection Bureau (CFPB or the Bureau) uses
an individual assessment model to distribute monetary awards for
economic harms. The CFPB has authority for oversight and regulation of
consumer financial products and services, including the ability to
direct money into the Consumer Financial Civil Penalty (CFCP) Fund,
which may then be used to compensate individuals (referred to in
regulation as ``victims'') who have been harmed by an activity for
which a penalty was imposed by the Bureau.\38\ The CFCP Fund's rules
define compensable harm for a victim as: (1) The victim's share of an
ordered redress \39\ amount; (2) if no ordered
[[Page 19837]]
redress amount, then a harm formulation contained in the underlying
final order (if any); or (3) if no ordered redress or harm formulation,
then the victim's out of pocket losses, except to the extent such
losses are impracticable to determine.\40\ Payments from the Fund may
only be made to eligible victims for compensable harm when calculable
and only to the extent a person has not received or is not reasonably
likely to receive full compensation for the same compensable harm from
another source.\41\
---------------------------------------------------------------------------
\38\ See Wall Street Reform and Consumer Protection Act Sec.
1017(d)(2) (Pub. L. 111-203), rules finalized at 12 CFR part 1075.
\39\ Redress is defined as ``any amounts--including but not
limited to restitution, refunds, and damages--that a final order
requires a defendant:
(1) To distribute, credit, or otherwise pay to those harmed by a
violation; or
(2) To pay to the Bureau or another intermediary for
distribution to those harmed by the violation.'' See 12 CFR
1075.101.''
\40\ 12 CFR 1075.104(c).
\41\ 12 CFR 1075.104(b).
---------------------------------------------------------------------------
Compensation from the CFCP Fund occurs in a two-step process.
First, the Fund administrator allocates funds for payment to eligible
victims. Second, the Fund administrator designates a payments
administrator with responsibility for distribution of funds; the
distribution methodology is not detailed in the CFPB's regulations.\42\
Funds received by the CFPB for a given violation are available for
distribution to any eligible class of victims with uncompensated harm
where distribution is practicable. To the extent that funds remain
after all eligible victims have been fully compensated, CFCP Fund
amounts not used for individual compensation may be used by the CFPB
for consumer education and financial literacy programs.
---------------------------------------------------------------------------
\42\ 12 CFR 1075.108(b) requires the payments administrator to
``submit to the Fund Administrator a proposed plan for the
distribution of funds allocated to a class of victims,'' while 12
CFR1075.108(c) details the contents the Fund Administrator may
require the payments administrator to include. Thus, the
distribution methodology is determined on a case-by-case basis.
According to the CFPB website, ``Some payments are administered by
the defendant. . . . In other cases, we may require the person or
company that violated the law to make the payment to the CFPB, and
then we distribute that money to the victims.'' <a href="https://www.consumerfinance.gov/enforcement/payments-harmed-consumers/payments-by-case/">https://www.consumerfinance.gov/enforcement/payments-harmed-consumers/payments-by-case/</a>. A full listing of redress payments administered
by the Bureau and victim payments from the CFCP Fund is available at
the website above.
---------------------------------------------------------------------------
The Fixed Recovery Model
Under the fixed recovery model, awards are generally either fixed
or calculated by a formula established by law, and recovery is based on
the prescribed formula. The GAO cites the Black Lung Benefits Act \43\
(BLBA) as one example. The BLBA provides benefits to coal miners and
their families for disability or death due to pneumoconiosis (also
known as black lung disease) resulting from employment in and around
coal mines. To receive an award, an individual or family must first
provide medical information demonstrating the medical condition,
similar to the evidence of harm required in the individualized
determination model. Recovery is based upon a statutory formula and
reduced when compensation for the same condition is received from other
sources (e.g., worker's compensation for pneumoconiosis). An
individual's recovery does not vary due to the specific individual's
economic or noneconomic harm as in the individualized determination
model, but the fixed determination model does offer advantages in its
relative ease of administration.
---------------------------------------------------------------------------
\43\ Public Law 92-303, 30 U.S.C. Chapter 22, Subchapter IV.
---------------------------------------------------------------------------
The Hybrid Model
The hybrid model combines elements of the individualized
determination and fixed recovery models. GAO notes that hybrid models
may be used to reflect uncertainty regarding the types of harm that can
be demonstrated with evidence. For example, the Privacy Act of 1974
permits a private right of action for the unlawful disclosure of an
individual's records by a federal agency. A plaintiff who demonstrates
that a federal agency unlawfully disclosed the plaintiff's records in a
willful or intentional manner may receive the minimum amount of $1,000
when the evidence of quantifiable harm is less than $1,000 and may
recover the full amount of actual damages when there is evidence of
quantifiable harm exceeding $1,000. In a 2009 class action settlement
by the Department of Veterans Affairs involving Privacy Act violations,
the VA payments were limited to a minimum of $75 and maximum of
$1,500.\44\ When settling a case with ChoicePoint \45\ under the Fair
Credit Reporting Act, the Federal Trade Commission (FTC) became
responsible for identifying harmed individuals and determining the
amount each person would receive. The FTC determined that individual
awards would be capped at $1,500 for out-of-pocket expenses and $3,060
for lost time.\46\ In both of these examples, the methodologies include
a fixed amount of recovery based on the harm individuals are able to
demonstrate, incorporating features of both the fixed recovery and
individualized determination models.
---------------------------------------------------------------------------
\44\ In Re Dept. of Veterans Affairs Data Theft Litigation,
1:06-MC-0506-JR (D.D.C. filed January 27, 2009), settlement
agreement, pp. 9-13.
\45\ United States v. ChoicePoint Inc., 1:06-CV-0198 (N.D. Ga.
Entered February 15, 2006), stipulated final judgment, pp. 4, 17.
\46\ See id. at pp. 9-10.
---------------------------------------------------------------------------
II. Questions for Public Comment
The Department requests comments on the questions below. The
Department welcomes comments from all stakeholders, including covered
entities and their business associates; State, local, territorial, and
tribal governments and their agencies; individuals; and consumer
advocates and groups as well as any other interested persons or
entities. The Department asks that commenters indicate throughout their
submitted comments the question(s) to which a comment is responding.
A. Public Law 116-321
As explained above, Public Law 116-321 amends Part 1 of subtitle D
of the HITECH Act to require OCR to consider recognized security
practices that organizations adequately demonstrate were in place for
the previous 12 months when determining penalties. The Department seeks
input from commenters regarding their voluntary implementation of
recognized security practices. Additionally, the Department seeks input
from commenters on any additional information or clarifications
regulated entities need from OCR regarding its implementation of this
new law. The first set of questions addresses regulated entities'
implementation of ``recognized security practices.''
1. What recognized security practices have regulated entities
implemented? If not currently implemented, what recognized security
practices do regulated entities plan to implement?
2. What standards, guidelines, best practices, methodologies,
procedures, and processes developed under section 2(c)(15) of the NIST
Act do regulated entities rely on when establishing and implementing
recognized security practices?
3. What approaches promulgated under section 405(d) of the
Cybersecurity Act of 2015 do regulated entities rely on when
establishing and implementing recognized security practices?
4. What other programs and processes that address cybersecurity and
that are developed, recognized, or promulgated through regulations
under other statutory authorities do regulated entities rely on when
establishing and implementing recognized security practices?
5. What steps do covered entities take to ensure that recognized
security practices are ``in place''?
a. What steps do covered entities take to ensure that recognized
security
[[Page 19838]]
practices are in use throughout their enterprise?
i. What constitutes implementation throughout the enterprise (e.g.,
servers, workstations, mobile devices, medical devices, apps,
application programming interfaces (APIs))?
6. What steps do covered entities take to ensure that recognized
security practices are actively and consistently in use continuously
over a 12-month period?
7. The Department requests comment on any additional issues or
information the Department should consider in developing guidance or a
proposed regulation regarding the consideration of recognized security
practices.
B. Section 13410(c)(3)
As explained above, Section 13410(c)(3) of the HITECH Act requires
the Department to establish a methodology whereby an individual who is
harmed by noncompliance with the HIPAA Rules may receive a percentage
of a penalty or monetary settlement collected with respect to that
noncompliance. Although the Enforcement Rule permits the Department to
consider certain types of harm when determining the amount of a
penalty, neither the HITECH Act nor the HIPAA Rules define harm
generally or for the purpose of identifying and quantifying harm to
determine an amount to be shared with an individual. For this reason,
the Department seeks input from commenters about how to define harm and
what bases should be used for deciding which injuries are compensable.
The first set of questions below addresses what constitutes
individual harm in the context of the HIPAA Rules and whether all
possible harms or only certain harms should be eligible for a
distribution.
8. What constitutes compensable harm with respect to violations of
the HIPAA Rules?
a. Should compensable harm be limited to past harm?
i. Should only economic harm be considered?
ii. Should harm be limited to the types of harm identified as
aggravating factors in assessing CMPs (physical, financial,
reputational, and ability to obtain health care)? \47\
---------------------------------------------------------------------------
\47\ 45 CFR 160.408(b).
---------------------------------------------------------------------------
iii. Should harm be expanded to include additional types of
noneconomic harms such as emotional harm?
A. If compensable harm should be expanded to include noneconomic
harms, what method should OCR use to evaluate and measure the harm?
b. Should the potential for future harm be compensable?
i. Are there types of future harm that should not be recognized as
compensable? For example, how should OCR treat an individual that has
no demonstrated injury-in-fact and only a risk of future harm? What
makes future harm likely?
ii. How will these types of harm be proven and measured?
c. Should OCR allow individuals to include actual and perceived
harm, which can vary based upon context and individual, such that
different individuals may suffer different amounts of harm even though
both suffered the same loss of privacy?
i. How should such variation in harm be measured?
d. Are there types of harm that should not permit an individual to
receive a portion of a CMP or monetary settlement?
9. Should harm be presumed in certain circumstances? For example,
should noncompliance with certain provisions of the HIPAA Rules be
presumed to have harmed all affected individuals? If so, which
provisions?
a. Conversely, should noncompliance with certain provisions of the
HIPAA Rules be presumed not to have harmed individuals unless some
condition is met? For example, should noncompliance with certain
workforce training requirements be recognized as harm only when
accompanied by an impermissible use or disclosure of PHI?
b. Should the Department require an individual to provide evidence
of harm before distributing a portion of a CMP or monetary settlement
to that individual? If yes, what types of evidence should be required
to demonstrate compensable harm?
10. The Department seeks information about current real-world
impacts of loss of privacy on an individual's willingness to seek care
or disclose health information to covered entities to better understand
the nature of privacy harms that occur.
11. Should the Department recognize as harm the release of
information about a person other than the individual who is the subject
of the information (e.g., a family member whose information was
included in the individual's record as family health history) for
purposes of sharing part of a CMP or monetary settlement? If yes,
should the individual who is not the subject of the information be
permitted to receive a portion of a CMP or monetary settlement?
The HITECH Act gives no direction regarding an amount to be set
aside or distributed to individuals other than requiring it to be a
percentage of the CMP or monetary settlement. Other federal agencies
have approached these determinations in a variety of ways. For example,
while the CFPB does not set limits on the amount to be made available
for distribution to victims, payments must be practicable.\48\ The
Securities and Exchange Commission (SEC) exercises discretion regarding
whether to apply any or all of a penalty amount to compensate an
investor for a loss, with remaining amounts reverting to the U.S.
Treasury. The following questions seek comment regarding factors to be
considered in establishing a methodology for calculating an amount to
be set aside for distribution to individuals and whether there are
circumstances in which funds should not be set aside for distribution.
---------------------------------------------------------------------------
\48\ See 12 CFR 1075.109 for an explanation of when payments to
victims are considered to be ``impracticable.''
---------------------------------------------------------------------------
12. Should there be a minimum total settlement or penalty amount
before the Department sets aside funds for distribution?
13. Under Section 13410(c)(3) of the HITECH Act,\49\ settlements or
CMPs collected in response to a violation of the HIPAA Rules are to be
used for the purposes of enforcing the HIPAA Rules. What role should
OCR's continued ability to support enforcement activities play in
determining whether there should be a minimum total settlement or
penalty amount before the Department sets aside funds for distribution?
---------------------------------------------------------------------------
\49\ 42 U.S.C. 17939(c)(3).
---------------------------------------------------------------------------
14. Should there be a minimum amount available per harmed
individual before funds are set aside for distribution?
15. Should the Department consider external recoveries or
compensation received, available, or likely to be available for harmed
individuals when deciding whether to set aside funds for distribution?
16. Should there be a minimum or maximum percentage or amount set
aside for distribution? If so, what should the maximum and/or minimum
be and why?
17. What factors should the Department consider in determining what
total percentage of a CMP or monetary settlement should be set aside
for harmed individuals?
a. For example, should the percentage set aside be dependent upon
the number of individuals that may have been harmed, the amount or type
of harm, be based on a fixed percentage, or another factor?
[[Page 19839]]
b. Should the percentage set aside take into account OCR's
continued ability to support enforcement activities with the remaining
funds?
The following questions address how to provide notice to affected
individuals that monetary distribution may be available.
18. How should harmed individuals be identified? How should they be
notified that they may be eligible for distributions?
19. If an individual is deceased, should the family or estate be
notified and eligible to receive a distribution?
20. If an individual cannot be located and notified within the time
frame for distribution, should the individual be permitted to receive a
distribution at a later date?
The following questions relate to the three recovery models that
GAO identified and related considerations regarding the administration
of a distribution methodology.
21. What goals should the Department prioritize when selecting a
distribution model?
a. For example, should the methodology ensure that all harmed
individuals receive compensation?
b. Should it instead maximize distributions of available funds to
the individuals most harmed by noncompliance?
22. If the Department adopts a model that allows different
distributions for differently harmed individuals, how should the
distributions be allocated?
23. Should there be a cap on the total percentage amount that any
individual can collect to ensure that all harmed individuals receive a
distribution or for any other reason?
24. Are there other distribution models to consider? Please provide
relevant examples.
25. Should the distribution methodology adjust or deny distribution
amounts based on the potential or actual compensation of individuals
through other mechanisms outside of the distribution requirement for
the same action under the HITECH Act, such as in a manner similar to
the CFPB?
26. Should the distribution methodology recognize and account for
in-kind benefits (e.g., credit monitoring paid for by the entity) as
compensation for purposes of reducing or denying a distribution to
those individuals?
27. Should an individual have a right to appeal a decision not to
disburse funds to the individual (e.g., where the administrator of the
fund determines that the individual did not suffer compensable harm or
has received adequate compensation from another source)? If so, how
should appeals be adjudicated?
28. Within what timeframe after a settlement agreement or
imposition of a CMP should individuals submit claims to be eligible for
disbursement?
29. Within what timeframe should funds be disbursed to harmed
individuals?
a. Should timeliness requirements be determined on a case-by-case
basis, depending on factors such as the number of individuals affected
by a violation?
b. What other factors should be considered?
30. Finally, the Department requests comment on any additional
factors or information the Department should consider in developing a
proposed methodology to share a percentage of CMPs and monetary
settlements with harmed individuals.
Xavier Becerra,
Secretary, Department of Health and Human Services.
[FR Doc. 2022-07210 Filed 4-5-22; 8:45 am]
BILLING CODE 4153-01-P
</pre></body>
</html>Indexed from Federal Register on April 6, 2022.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.