OCR wants feedback on HITECH security provisions, monetary penalties

OCR wants feedback on HITECH security provisions, monetary penalties

news image

The Office for Civil Rights in the U.S. Department of Health and Human Services wants to hear from healthcare stakeholders about two components of the 2009 HITECH Act, which was amended this past year.

OCR’s request for information is meant to help the agency better understand how to support the healthcare industry’s implementation of recognized security practices, officials say.

In addition, they say it will help inform better strategies to ensure funds, collected through OCR enforcement actions, are disbursed to individuals harmed by HIPAA violations.

Specifically, OCR wants public feedback on two provisions of the HITECH Act: Recognized Security Practices and Civil Money Penalty and Settlement Sharing.

HITECH’s Section 13412 requires HHS consider specific recognized security practices for covered entities – payers, clearinghouses, most providers – as well as their business associates when determining potential fines or other remedies for resolving potential violations of the HIPAA Security Rule. (Public Law 116-321 went into effect when it was signed into law on January 5, 2021.)

The aim is to encourage covered entities and business associates to do “everything in their power to safeguard patient data,” say OCR officials.

OCR wants to know how covered entities and their associates are implementing these recognized security practices, and how they plan to demonstrate that they’re in place. It also wants to learn more about any other implementation issues that should be clarified with future guidance or rulemaking.

Section 13410(c)(3) of the HITECH Act, meanwhile, calls on HHS to set up methodology by which patients harmed by potential violations of the HIPAA’s privacy, security and/or breach notification rules could a percentage of any settlement money collected with respect to such offense. It requires OCR to base determinations of those penalty amounts on the nature and extent of the violation – and the harm resulting from it.

But HITECH doesn’t define “harm.” So the RFI wants feedback on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, and what methodologies for sharing and distributing money might be used.

The request for information comes as cybersecurity threats proliferate and OCR’s enforcements step up.

The agency says any health industry stakeholders seeking more information about the RFI, or who want to send comments to OCR should visit the Federal Register to learn more.

It encourages patients and their families, HIPAA covered entities and their business associates, consumer advocates, healthcare professional associations, health information management professionals, health IT vendors and government entities to offer feedback.

Comments must be submitted by June 6.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said OCR Director Lisa J. Pino in a statement.

“I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance,” she added.

Twitter: @MikeMiliardHITN
Email the writer: [email protected]

Healthcare IT News is a HIMSS publication.

Read More