The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has requested comments from the public on two outstanding requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 that relate to its enforcement of compliance with the Health Insurance Portability and Accountability Act (HIPAA).
OCR is the main enforcer of HIPAA compliance and investigates complaints and data breaches at healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. When HIPAA violations are identified, financial penalties can be imposed. Section 13410(c)(3) of the HITECH Act requires OCR to develop a methodology under which a percentage of the civil monetary penalties and settlements from its HIPAA enforcement activities can be shared with victims of the violations that attracted financial penalties.
In January 2021, the HITECH Act was amended to require the Secretary of the HHS to consider certain recognized security practices that have been implemented by HIPAA-regulated entities when making determinations about financial penalties and other remedies with respect to data breaches to incentivize those entities to improve their privacy and security controls. Essentially, the amendment means that if recognized security practices have been implemented for no less than 12 months prior to a data breach, then any financial penalties will be reduced, and there will be less stringent investigations and audits of compliance.
This week, OCR published a Request for Information (RFI) in the Federal Register seeking comments from the public on these two outstanding HITECH Act requirements. OCR has requested feedback on a methodology that could be adopted for distributing monies to harmed individuals, and also on what harms should be considered appropriate to receive monies, as the HITECH Act does not define what constitutes harm in this respect.
With respect to the recognized security practices, OCR has requested feedback on how HIPAA-regulated entities have implemented these security practices, any challenges they faced, and how they plan to demonstrate that recognized security practices have been adopted. HIPAA-regulated entities can also use the RFI to request OCR issues further guidance or they can suggest areas where further rulemaking is required.
“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said OCR Director Lisa J. Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”
The RFI can be viewed here, and comments must be submitted no later than June 6, 2022, to be considered.