The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is seeking public comment on the HITECH Act requirements for sharing HIPAA penalties with harmed individuals and the implementation of the HIPAA Safe Harbor for entities that adhere to recognized security practices.
The Health Information Technology for Economic and Clinical Health Act of 2009 requires the HHS to distribute a percentage of the Civil Monetary Penalties (CMPs) and settlements that are received from its enforcement of compliance with the Health Insurance Portability and Accountability Act to individuals who have been harmed by those violations. The HITECH Act requires the HHS to develop and implement a methodology for determining the appropriate amounts that should be shared with those individuals.
In 2021, the HITECH Act was amended by the HIPAA Safe Harbor Act to encourage HIPAA-regulated entities to implement recognized security practices. Prior to the HIPAA Safe Harbor Act being signed into law, there was an insufficient incentive for HIPAA-regulated entities to implement cybersecurity best practices, as if they suffered a breach regardless of those measures, they would still face stiff financial penalties and intense scrutiny by OCR.
The HIPAA Safe Harbor Act amended the HITECH Act to require OCR to consider the recognized security practices that had been implemented for at least 12 months prior to the data breach when considering financial penalties and other sanctions, and for entities that have implemented recognized security practices to face less scrutiny by OCR in its investigations, such as decreasing the extent of audits.
As part of its efforts to address these HITECH Act requirements, OCR has published a Request for Information (RFI) in the Federal Register seeking public feedback on these two issues. With respect to sharing monies with individuals harmed by HIPAA violations, OCR is seeking comment on the types of harm that should be considered by OCR that would qualify individuals to receive a payment, as the HITECH Act does not define harm. OCR is also seeking comments on potential methodologies that could be used to determine how monies could be shared and distributed.
With respect to recognized security practices, OCR has a definition; however, OCR wants to learn how HIPAA-regulated entities are implementing recognized security measures, how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they have experienced or anticipate, which could be addressed by OCR through future guidance or rulemaking. The HITECH Act amendment states that OCR should look back at the recognized security practices that have been in place for “no less than 12 months,” but it is not stated in the statute what action initiates the beginning of the 12-month lookback period. Comments are also requested on this aspect of the lookback period.
“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said OCR Director Lisa J. Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”
OCR is accepting comments until June 6, 2022.