traffic_analyzer/DigitalVision V

OCR Seeks Public Input on Penalties, Security Measures Under HITECH

OCR issued a request for information regarding HITECH’s recognized security practices and civil monetary penalty and settlement sharing sections.

HHS’ Office for Civil Rights (OCR) issued a request for information (RFI) seeking feedback on two requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH).

HITECH was signed into law in 2009 to promote EHR adoption, HHS’ website states. Some sections aimed to address privacy and security concerns surrounding the electronic transmission of health information as well.

HITECH also led to the creation of the HIPAA Breach Notification Rule and OCR’s data breach portal.

In January 2021, Congress enacted an amendment to the HITECH Act “to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.”

Essentially, the amendment presented covered entities with significant incentives for having adequate security and privacy controls in place by offering reduced fines and other perks. Covered entities were directed to implement security controls based on the National Institute of Standards and Technology (NIST) framework, the HIPAA Security Rule, and section 405(d) of the Cybersecurity Act of 2015.

However, the amendment mostly left covered entities and business associates to interpret what “recognized security practices” were right for their organizations.

“The growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information (ePHI). This RFI will enable OCR to consider ways to support the healthcare industry’s implementation of recognized security practices,” OCR’s announcement stated.

“The RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.”

Specifically, OCR is seeking public comment on the recognized security practices and the civil money penalty and settlement sharing sections of HITECH.

“One of the primary goals of this provision is to encourage covered entities and business associates to do ‘everything in their power to safeguard patient data.’” OCR said of the recognized security practices section.

Via its request for information, OCR is encouraging covered entities and business associates to provide feedback on how they have been implementing the recognized security practices and how they expect to demonstrate that those practices are in place.

In addition, organizations can use the RFI to ask OCR for further clarification on the rule and feedback on what would be helpful to see in future rulemaking.

Section 13410(c)(3) of HITECH requires HHS to “establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense,” the announcement explained.

OCR is seeking feedback on how to implement and improve potential methodologies for distributing monetary settlements to harmed individuals.

OCR called upon all stakeholders, including patients, covered entities, business associates, healthcare professional associations, and more to provide feedback.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” Lisa J. Pino, OCR’s director, said in the announcement.

“I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

Next Steps

Dig Deeper on HIPAA compliance and regulation