The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) today issued a Request for Information (RFI) seeking public comment on two requirements of the Technology Act of 2009 Health Information for Economic and Clinical Health (HITECH Act), as amended in 2021. The growing number of cybersecurity threats is a significant concern that makes it necessary to strengthen safeguards for protected electronic health information ( ePHI). This RFI will enable OCR to consider ways to support the healthcare industry’s implementation of recognized safety practices. The RFI will also help OCR consider ways to share funds raised through law enforcement with those harmed by violations of HIPAA rules.
“This request for information is long overdue, and we look forward to considering the feedback we receive from the public and regulated industry on these important topics,” said OCR Director Lisa J. Pino. . “I encourage those who have been historically underserved, marginalized, or discriminated against or systemically disadvantaged to comment on this request for information, so that we hear your voice and fully consider your interests in developing rules and future advice.”
Through today’s RFI, the OCR is seeking public comment on the following provisions of the law:
Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to consider certain accepted safety practices of covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and business associates .1
when determining potential fines, audit results, or other remedies to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rule at the following an investigation, compliance review or audit. Public Law 116-321 came into effect when it was promulgated on January 5, 2021.
One of the main purposes of this provision is to encourage Covered Entities and Business Associates to do “everything in their power to protect patient data”.
The RFI seeks feedback on how Covered Entities and Business Associates implement “Accepted Security Practices”, how they plan to adequately demonstrate that Accepted Security Practices are in place, and any implementation issues. implementation that they would like OCR to clarify through future guidelines or regulations.
Civil Monetary Penalty (CMP) and Sharing Settlements. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential breach of privacy, security, and/or breach notification HIPAA may receive a percentage of any CMP or monetary settlement collected in connection with this violation. HITECH Section 13140(d)(1) requires OCR to base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation . The HITECH Act does not define “damage” nor does it provide guidelines to help HHS define the term.
The RFI invites public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to injured parties, discusses potential methodologies for sharing and distributing money to injured parties, and invites the public to submit alternative methodologies.
The OCR encourages input from all stakeholders, including patients and their families, HIPAA-covered entities and their business associates, consumer advocates, healthcare professional associations, health care professionals health information, health information technology providers and government entities.
Individuals wishing to obtain more information about the RFI or how to provide written or electronic feedback to the OCR should consult the Federal Register for more information: https://www.federalregister.gov/documents/2022/04/06/2022-07210/considerations-for-implementing-the-health-information-technology-for-economic-and-clinical-health
Please note that comments must be submitted by June 6, 2022 to be considered.