CHI, MGMA Respond to OCR’s RFI On Recognized Security Practices Under HITECH

June 08, 2022 - The Connected Health Initiative (CHI) and the Medical Group Management Association (MGMA) both responded to the HHS Office for Civil Rights’ (OCR) request for information (RFI) surrounding recognized security practices under HITECH.  

For context, in January 2021, Congress enacted an amendment to the HITECH Act “to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.”

Essentially, the amendment presented covered entities with significant incentives for having adequate security and privacy controls in place by offering reduced fines and other perks. The amendment directed covered entities to implement security controls based on the National Institute of Standards and Technology (NIST) framework, the HIPAA Security Rule, and section 405(d) of the Cybersecurity Act of 2015, among other frameworks.

However, the amendment mostly left covered entities and business associates to interpret what “recognized security practices” were right for their organizations.

“The growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information (ePHI),” OCR’s announcement stated.

READ MORE: 2 Million Individuals Impacted By Shields Health Care Group Cyberattack

“This RFI will enable OCR to consider ways to support the healthcare industry’s implementation of recognized security practices.”

In their separate response, both MGMA and CHI urged HHS to provide clarity, best practices, and guidance on HITECH measures and requested that healthcare organizations get the flexibility and assistance they need to implement security measures that suit their organization’s needs.

MGMA Calls For Flexibility, Best Practices, Increased Education

In MGMA’s letter to HHS, the group urged HHS OCR to promote flexibility and expand educational outreach when it comes to HITECH implementation.

“As cyberattacks have escalated in recent years, particularly aimed at healthcare organizations, MGMA acknowledges it is critical for medical groups to take steps to protect patient health information and secure their clinical and administrative electronic systems,” MGMA noted.

“MGMA has worked diligently to educate medical groups on cybersecurity best practices, but even the most proactive and prepared practices can fall victim to an attack.”

READ MORE: OCR Seeks Public Input on Penalties, Security Measures Under HITECH

With these challenges in mind, MGMA recommended that HHS continue to recognize the definition of “recognized security practice” in order to ensure that providers have the flexibility to adopt the security practices that are the most relevant to their organizations.

“We are concerned that a mandate for groups to adopt specific recognized security systems would lead to unintended consequences stemming from increased costs and administrative burden,” MGMA stated.

“Medical groups should be in the driver’s seat to appropriately balance the need to protect protected health information (PHI) with their ability to stay financially viable and avoid interruptions to patient care.”

In addition, MGMA requested that HHS provide further guidance and best practices that providers can reference to help mitigate cyber risks. The group suggested that HHS release tangible guidance for healthcare organizations to reference, such as a framework or checklist.

“There is a need to harmonize current and future regulatory frameworks for which medical groups must comply. We are aware that ONC will soon release regulations and penalties pertaining to data blocking. ONC information blocking rules penalize physicians for not sharing health information, but on the other hand, HIPAA penalizes physicians for sharing too much information,” MGMA also emphasized.

READ MORE: What is the HIPAA Privacy Rule?

“To prevent unnecessary confusion and burden on medical groups, HHS should consider other rules and policies impacting physicians while developing additional regulations.”

MGMA also urged HHS to take “good faith efforts” to secure PHI into consideration prior to imposing civil monetary penalties.

CHI Calls For the Modernization of HIPAA

On its website, CHI says that the initiative’s primary goal is to “clarify outdated health regulations, incentivize the use of connected health technologies, and ensure an environment in which patients and consumers can see improvement in their health.”

With a focus on connected health in particular, CHI wrote a letter to Secretary Becerra to address concerns and suggest updates to how HIPAA and HITECH are implemented in healthcare.

“Because it represents an important opportunity to improve clarity, we support OCR’s efforts to implement provisions of Public Law 116-321, which directs HHS to consider actual evidence of Recognized Security Practices as a mitigating factor when investigating a compliance or complaint review for potential HIPAA violations,” CHI stated.

“PL 116-321 should only apply to HIPAA compliance enforcement actions and audits. Improved regulatory guidance and the adoption of internal policies that allow enforcement discretion on best security practices as it relates to safeguarding protected health information (PHI) is critically important to establishing a healthcare environment that incents the adoption of recognized security practices while avoiding conflict with the other aspects of the HIPAA Administrative Simplification provisions.”

CHI noted that current security standards are likely to evolve and new ones will surface over time. With this in mind, CHI urged OCR to include new and emerging risk management security standards in its recognized security practices.

CHI also presented several proposed measures for OCR to take in order to update HIPAA and HITECH to reflect modern challenges in the healthcare sector. CHI acknowledged the important roles that the HIPAA Security Rule and the HIPAA Privacy Rule played in establishing minimum standards for safeguarding PHI.

“However, HIPAA privacy and security rules and guidance applicable to basic modern technology modalities, such as mobile apps have not been updated since before the 2007 introduction of the iPhone,” CHI noted.

“The persistent lack of clarity around HIPAA applicability in a mobile environment prevents many patients from benefiting from these services. As a result, many physicians are reluctant to receive health readings from their patients electronically, and hospital systems are discouraged from adopting patient-centered technologies.”

Many physicians are unsure whether they can exchange texts or emails with patients, CHI mentioned. CHI called for clarity and guidance on how covered entities and business associates can maintain compliance without restricting the use of new technologies that enable care coordination.

“Additional guidance and education on the existing provisions of the HIPAA Rules would greatly help advance information sharing and the improvement of care coordination. However, as it stands, the guidance that has already been developed—in some cases—hasn’t made its way to the intended audience,” CHI stated.

“As we mentioned before, OCR has created key guidance for mobile developers and those interested in the intersection between information technology and healthcare. OCR’s outreach focus is an educational campaign for that community, and we see vast improvement in the understanding, from connected health companies, of their roles and responsibilities under the HIPAA Privacy Rules.”

However, CHI indicated that it had not seen similar educational campaigns directed at providers or patients. CHI urged OCR to address the “gray” areas of HIPAA, such as how to differentiate patient-directed third-party access to PHI and a third-party access request.

Among several suggestions to OCR, CHI recommended that OCR provide sample business associate agreement (BAA) language to developers and providers, ensure that HIPAA regulations do not stifle innovations in artificial intelligence, and promote information sharing for the sake of treatment and care coordination.

The comment period for OCR's request for information closed on June 6.