OCR Seeks Responses on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Persons

The Department of Health and Human Services’ Office for Civil Rights has publicized a Request for Information (RFI) in connection with two specific specifications of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

As per the changes by the HIPAA Safe Harbor Act in the 2021 HITECH Act, the HHS should consider the security strategies that were put in place by HIPAA-regulated entities whenever considering imposing financial penalties and other remedies to settle potential HIPAA violations uncovered through investigations and audits.

The purpose of the HIPAA Safe Harbor Act is to make HIPAA-regulated entities employ cybersecurity procedures. The prize for firms that have adopted industry-standard security procedures for the twelve months prior to a data breach taking place is lesser financial fines for data breaches and less audits by the HHS.

Another notable requirement that goes back to when the HITECH Act was passed into law, is for the HHS to share a percent of the civil monetary penalties (CMPs) and settlement payments with people who suffered harm as a result of the violations for which the charges were applied. The HITECH Act demands a technique to be adopted by the HHS for deciding the correct amounts to be shared, depending on the nature and magnitude of the HIPAA violation and the nature and magnitude of the problems that were caused.

Earlier this year, the recently assigned Lisa J. Pino as Director of the HHS’ Office for Civil Rights (OCR) established that these two specifications of the HITECH Act were being tackled this year. Yesterday, OCR released the RFI in the Federal Register asking for public feedback on these two conditions of the HITECH Act.

In particular, OCR is requesting comments on what comprises the “Recognized Security Practices,” the identified security strategies that are being enforced to safeguard electronic protected health information (ePHI) by HIPAA-compliant entities, and how those entities had sufficient recognized security practices set up. OCR would furthermore like to understand any implementation problems that those entities want to be resolved by OCR, either via more rulemaking or guidance, and advice on the action that ought to set off the beginning of the 12-month look-back period of time, as that isn’t expressed in the HIPAA Safe Harbor Act.

One of the major concerns with the need to share CMPs and settlements with affected individuals is that the HITECH Act is lacking a definition of harm. OCR likes feedback on the sorts of “harms” that must be considered when sharing a portion of SMPs and settlements and ideas on probable techniques for sharing and distributing money to harmed persons.

This request for information has long been awaited, and suggestions from the public and regulated industry are welcome. Those historically underserved, marginalized, or susceptible to discrimination or systemic disadvantage should give comments on this RFI, so that their interests in upcoming rulemaking and guidance will be considered.

To be considered, feedback should be submitted to OCR on or before June 6, 2022.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone