OCR Seeks Comments on Changes to HIPAA Enforcement Practices

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is seeking public comment on the HITECH Act requirements for sharing HIPAA penalties with harmed individuals and the implementation of the HIPAA Safe Harbor for entities that adhere to recognized security practices.

The Health Information Technology for Economic and Clinical Health Act of 2009 requires the HHS to distribute a percentage of the Civil Monetary Penalties (CMPs) and settlements that are received from its enforcement of compliance with the Health Insurance Portability and Accountability Act to individuals who have been harmed by those violations. The HITECH Act requires the HHS to develop and implement a methodology for determining the appropriate amounts that should be shared with those individuals.

In 2021, the HITECH Act was amended by the HIPAA Safe Harbor Act to encourage HIPAA-regulated entities to implement recognized security practices. Prior to the HIPAA Safe Harbor Act being signed into law, there was an insufficient incentive for HIPAA-regulated entities to implement cybersecurity best practices, as if they suffered a breach regardless of those measures, they would still face stiff financial penalties and intense scrutiny by OCR.

The HIPAA Safe Harbor Act amended the HITECH Act to require OCR to consider the recognized security practices that had been implemented for at least 12 months prior to the data breach when considering financial penalties and other sanctions, and for entities that have implemented recognized security practices to face less scrutiny by OCR in its investigations, such as decreasing the extent of audits.

As part of its efforts to address these HITECH Act requirements, OCR has published a Request for Information (RFI) in the Federal Register seeking public feedback on these two issues. With respect to sharing monies with individuals harmed by HIPAA violations, OCR is seeking comment on the types of harm that should be considered by OCR that would qualify individuals to receive a payment, as the HITECH Act does not define harm. OCR is also seeking comments on potential methodologies that could be used to determine how monies could be shared and distributed.

With respect to recognized security practices, OCR has a definition; however, OCR wants to learn how HIPAA-regulated entities are implementing recognized security measures, how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they have experienced or anticipate, which could be addressed by OCR through future guidance or rulemaking.  The HITECH Act amendment states that OCR should look back at the recognized security practices that have been in place for “no less than 12 months,” but it is not stated in the statute what action initiates the beginning of the 12-month lookback period. Comments are also requested on this aspect of the lookback period.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said OCR Director Lisa J. Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

OCR is accepting comments until June 6, 2022.

About Ryan Coyne 218 Articles
Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan’s professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn https://www.linkedin.com/in/ryancoyne/ and follow on Twitter https://twitter.com/ryancoyne