HHS Seeks Public Input on How to Implement Cybersecurity Best Practices Bill

In April of 2022, OCR issued a public Request for Information (RFI). The RFI seeks public comment on how covered entities and business associates are implementing recognized security practices. OCR is seeking comments to inform potential future guidance on implementing HR 7898. 

What is the Cybersecurity Best Practices Bill?

HR 7898 amends the HITECH Act by adding a new section. Under this new Section 13412, when deciding to conduct an audit or issue a fine, the HHS Secretary must consider whether a covered entity or business associate has adequately demonstrated that it had recognized security practices in place for the previous twelve months. 

Under the law, “recognized security practices” mean:

• Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
• The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
• Programs and practices developed in, recognized by, or set forth in federal laws other than HIPAA.

How to Implement the Cybersecurity Best Practices Bill: Help Us to Help You

The Request for Information states that public comment will enable OCR to consider ways to support the healthcare industry’s implementation of recognized cybersecurity best practices. 

HHS seeks public comment on three areas:

1. How are covered entities and business associates implementing “recognized security practices”?
2. How are covered entities and business associates adequately demonstrating that recognized security practices are in place?
3. Are there any implementation issues covered entities and business associates would like OCR to clarify through future guidance or rulemaking?

HHS seeks public comment because the cybersecurity best practices law is unclear in several aspects. For example, HHS notes that the legislation does not provide criteria for covered entities or business associates to use when selecting which category of recognized security practices to implement. 

HHS also recognizes that the “twelve-month” provision is unclear. OCR, “when making determinations relating to fines or audits must consider whether an entity has adequately demonstrated that recognized security practices were in place ‘for a period of not less than the previous 12 months.’”

HHS, in the RFI, notes an obvious omission in the text: “The statute does not state what action initiates the beginning of the 12-month lookback period.” (i.e., The date of a violation? The date a violation is discovered? Reported?)

Through the RFI, HHS is asking covered entities and business associates to tell it in effect, “We’ve read the law and are trying to abide by it. What additional information or clarification do you, HHS, need before you, HHS, implement the new law through regulation?” 

Seven Questions Posed by HHS

HHS seeks responses to seven specific questions:

1. What recognized security practices have regulated entities implemented? If not currently implemented, what recognized security practices do regulated entities plan to implement?
2. What standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act do regulated entities rely on when establishing and implementing recognized security practices?
3. What approaches promulgated under section 405(d) of the Cybersecurity Act of 2015 do regulated entities rely on when establishing and implementing recognized security practices?
4. What other programs and processes that address cybersecurity and are developed, recognized, or promulgated through regulations under other statutory authorities do regulated entities rely on when establishing and implementing recognized security practices?
5. What steps do covered entities take to ensure that recognized security practices are “in place?”

• • What steps do covered entities take to ensure that recognized security practices are in use throughout their enterprise?
    • What constitutes implementation throughout the enterprise (i.e., servers, workstations, mobile devices, medical devices, apps, application programming interfaces (APIs))?

6. What steps do covered entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?
7. In request number seven, HHS requests comment “on any additional issues or information HHS should consider in developing guidance or a proposed regulation regarding the consideration of recognized security practices.”

HHS Seeks Public Input: RSVP Soon

Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR may visit the Federal Register to learn more.

Comments must be submitted to HHS by June 6, 2022, in order to be considered.

Once HHS receives comments, it may follow one of several paths. HHS may decide that another request for information is needed for further clarity. Or, HHS may use the information submitted from the RFI to develop guidance. Guidance documents issued by HHS do not carry the force of law. However, an entity that demonstrates it followed such guidance can argue, if investigated, that it made a good-faith attempt to comply with the law by implementing that guidance. A possible third route: HHS may issue a formal notice of proposed rulemaking (NRPM). In an NRPM, HHS would propose changes to the existing HIPAA regulatory text to clarify issues like “when does the 12-month period start?” and “what criteria must be used when selecting which category of recognized security practices to implement?”