The past several years have proven difficult for healthcare entities due to increasing cybersecurity threats, breaches and regulatory enforcement. Following these trends, on April 6, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Request for Information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and also seeking public input on sharing funds collected through enforcement with individuals who are harmed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule violations.

OCR is seeking public comments to improve its understanding of how regulated entities are voluntarily implementing recognized security practices to help determine what potential information or clarifications it needs to provide through future rulemaking or guidance. As explained by OCR, “[t]his RFI will enable OCR to consider ways to support the healthcare industry’s implementation of recognized security practices.

With respect to its request for comment on sharing of civil monetary penalties and settlements, OCR explained: [t]he RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.”

Recognized Security Practices

As we previously discussed, effective January 5, 2021, the HITECH Act was amended to require HHS to take into consideration certain recognized security practices (such as those in line with the National Institutes of Standards and Technology (NIST) guidance) of covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates when determining potential fines, audit results, or other remedies for resolving potential violations of the HIPAA security rule pursuant to an investigation, compliance review, or audit. According to HHS, one of the primary goals of this change in law is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.” OCR must now consider the “recognized security practices” that HIPAA covered entities and business associates adequately demonstrate were in place for the previous 12 months.

OCR posed several questions related to recognized security practices including the following:

  • What recognized security practices have regulated entities implemented? If not currently implemented, what recognized security practices do regulated entities plan to implement?
  • What standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act do regulated entities rely on when establishing and implementing recognized security practices?
  • What approaches promulgated under section 405(d) of the Cybersecurity Act of 2015 do regulated entities rely on when establishing and implementing recognized security practices?
  • What other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities do regulated entities rely on when establishing and implementing recognized security practices?
  • What steps do covered entities take to ensure that recognized security practices are “in place”?
    • What steps do covered entities take to ensure that recognized security practices are in use throughout their enterprise?
      • What constitutes implementation throughout the enterprise (e.g., servers, workstations, mobile devices, medical devices, apps, application programming interfaces (APIs))?
    • What steps do covered entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?
    • The Department requests comment on any additional issues or information the Department should consider in developing guidance or a proposed regulation regarding the consideration of recognized security practices.

Sharing Funds with Individuals Harmed Due to HIPAA Violation

The HITECH Act requires HHS to establish a methodology whereby an affected individual may receive a percentage of a penalty or monetary settlement collected with respect to noncompliance. This effort aligns with OCR’s recent enforcement push around the HIPAA Right of Access. Although HHS may consider certain types of harm when determining the amount of a penalty, harm generally is not defined for the purpose of identifying and quantifying harm to determine an amount to be shared with an individual. Of note, many plaintiffs and courts have struggled with establishing harm resulting from privacy violations or data breach. For this reason, OCR seeks input in the RFI about how to define harm and what bases should be used for deciding which injuries are compensable.

Below are examples of OCR questions related to determining harm for purposes of sharing funds with individuals contained in the RFI:

  • What constitutes compensable harm with respect to violations of the HIPAA rules?
  • Should compensable harm be limited to past harm?
  • Should only economic harm be considered?
  • Should harm be limited to the types of harm identified as aggravating factors in assessing CMPs (physical, financial, reputational, and ability to obtain health care)?
  • Should harm be expanded to include additional types of noneconomic harms such as emotional harm?

Responding to an OCR request for information - like the one recently issued on April 6, 2022 - provides a vehicle for stakeholders to inform OCR of regulatory burdens or unintended consequences of HIPAA rules. Responding to a request for information also permits the responder to potentially shape the direction of future OCR rulemaking or guidance. Comments to the RFI must be submitted on or before June 6, 2022. You may submit electronic comments at by searching for the Docket ID number HHS-OCR-0945-AA04.

Any questions regarding OCR’s RFI may be directed to Alaap B. Shah and Elizabeth A. Kastner or the EBG attorney that assists you.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.