top of page

HIPAA Update: Request for Information on Security Practices

On April 6, 2022, the federal Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued a “Request for Information” addressing two (2) specific elements of the federal HIPAA and HITECH Act rules. The increasing threats related to cybersecurity attacks (including threats associated with the recent war in Ukraine) in part have prompted the government to revisit the safeguards that health care and other providers have in place in connection with electronic protected health information (“EPHI”). This Request for Information is intended to assist OCR in issuing further regulatory compliance guidance.

Specifically, OCR is requesting public comments on the following two (2) provisions of law:

(1) Recognized Security Practices:

a. The HITECH Act in particular currently mandates that the government consider recognized security practices of health care providers, health plans, other HIPAA covered entities, and business associates when determining fines and imposing other remedies for addressing HIPAA Security Rules violations.

b. This Request for Information requests comments on how such parties are implementing "recognized security practices” and how they can demonstrate that such practices and security measures are in place.

(2) Civil Monetary Penalty and Settlement Sharing:

a. The HITECH Act (section 13410(c)(3)) requires the government to develop a methodology pursuant to which an individual harmed by a HIPAA/HITECH violation can obtain a percentage of any civil monetary penalty or monetary settlement collected by the government for a HIPAA/HITECH breach and the resulting harm from the violation.

b. This second Request for Information requests comments on the types of “harm” that should be considered before the government distributes any monetary recovery, as well as the potential methodologies for sharing/distributing such recovered funds.

c. With respect to establishing a methodology to determine when an individual harmed by a breach may receive a percentage of the monetary settlement received by OCR, the government has recommended the following three (3) potential models for consideration (and has invited the public to submit potential alternative methodologies):

i. Individualized Determination Model: This model is essentially a private civil action with a determination of harm and damages.

ii. Fixed Recovery Model: This model would establish an award that is fixed or calculated by a formula under the law. This model may be easiest to implement.

iii. Hybrid Model: This model combines elements of the above two (2) models. For example, the methodology in such a model could include a fixed amount of recovery once an individual is able to prove specific harm has occurred.

Additional information regarding this Request for Information can be found in the April 6, 2022 Federal Register publication which can be located at the following link:

Any public comments must be submitted for consideration on or before June 6, 2022.

Our Firm has extensive experience counseling health care providers on privacy compliance requirements, as well as preparing and implementing applicable policies. If you have any questions related to this Legal Briefing, please contact any member of our Firm at 585-730-4773. Please note that any embedded links to other documents may expire in the future.

HIPAA Update - Request for Information on Security Practices
Download DOCX • 103KB


This Legal Briefing is intended for general informational and educational purposes only and should not be considered legal advice or counsel. The substance of this Legal Briefing is not intended to cover all legal issues or developments regarding the matter. Please consult with an attorney to ascertain how these new developments may relate to you or your business. © 2022 Law Offices of Pullano & Farrow PLLC


bottom of page