OCR Wants Feedback on Recognized Security Practices and the Distribution of HIPAA Settlements with Victims

The Department of Health and Human Services’ Office for Civil Rights has published a Request for Information (RFI) associated with two particular specifications of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

Based on the revisions by the HIPAA Safe Harbor Act in the 2021 HITECH Act, the HHS should take into account the security procedures that were enforced by HIPAA-regulated entities when considering to enforce financial penalties and other remedies to handle potential HIPAA violations identified in the course of investigations and reviews.

The goal of the HIPAA Safe Harbor Act is to urge HIPAA-regulated entities to use cybersecurity strategies. The incentive for companies that have implemented industry-standard security guidelines for one year before a data breach happens is reduced financial penalties for security breaches and less critique by the HHS.

Another particular requirement that dates back to the time the HITECH Act was approved into law, is for the HHS to share a portion of the civil monetary penalties (CMPs) and settlement payments with people who experienced harm due to the violations for which the fines were put on. The HITECH Act requires a strategy to be set up by the HHS for identifying proper amounts to be shared, according to the nature and scope of the HIPAA violation and the nature and degree of the hurt that results.

At the beginning of this year, the newly designated Lisa J. Pino as Director of the HHS’ Office for Civil Rights (OCR) affirmed that these two prerequisites of the HITECH Act were being dealt with this year. Yesterday, OCR publicized the RFI in the Federal Register requesting a public opinion on these two conditions of the HITECH Act.

Particularly, OCR is asking for comments on what makes up “Recognized Security Practices,” the acknowledged security procedures that are being executed to secure electronic protected health information (ePHI) by HIPAA-compliant entities, and how those entities are prepared sufficiently by setting up recognized security practices. OCR would additionally like to know any implementation problems that those entities wish to be cleared up by OCR, either by means of additional rulemaking or guidance, and recommendations on the action that ought to start the start of the 12-month look-back time, as that isn’t mentioned in the HIPAA Safe Harbor Act.

One of the primary concerns with the prerequisite to share CMPs and settlements with impacted persons is that the HITECH Act does not have a definition of harm. OCR wants feedback on the kinds of “harms” that must be regarded when giving a percent of SMPs and settlements and recommendations on possible strategies for sharing and distributing funds to harmed persons.

This request for data has always been anticipated, and feedback from the public and concerned industry is welcome. People who are historically underserved, marginalized, or vulnerable to discrimination or systemic disadvantage must give feedback on this RFI, so their interests in later rulemaking and guidance will be taken into consideration.

To be counted, responses need to be sent to OCR by June 6, 2022.