HIPAA law is not static, but evolves in response to technology, security issues and changing healthcare practices. The latest example is a request for information (RFI) from the HHS Office for Civil Rights (OCR) asking for public comments on two requirements of the HITECH Act (Health Information Technology for Economic and Clinical Health Act).
One of the reasons for this RFI now, according to OCR, is that the “growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information (ePHI).” The RFI is also seeking comment on how OCR might “share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.”
Background of HITECH
HITECH was signed into law in 2009 to promote the adoption of electronic health records (EHR) and address privacy and security issues surrounding the electronic transmission of health information. HITECH also:
- added the Breach Notification Rule,
- led to creation of the OCR Breach Portal,
- extended HIPAA liability to Business Associates, and
- strengthened penalties for non-compliance.
Promotion of Recognized Security Practices
The HITECH Act was amended in 2021 to further promote electronic security protections by requiring HHS “to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.”
The amendment gave covered entities incentives for adopting recognized security and privacy controls by offering reduced fines and other benefits. Covered entities were directed to use security controls based on the National Institute of Standards and Technology (NIST) framework, the HIPAA Security Rule, and section 405(d) of the Cybersecurity Act of 2015. One of the primary goals of the amendment was to encourage the healthcare industry to do “everything in their power to safeguard patient data.”
Sharing of Civil Money Penalties
The HITECH Act also required HHS to establish a methodology under which an individual harmed by a potential HIPAA violation may receive a percentage of any civil money penalties or monetary settlement collected for such an offense.
Request for Information
However, the amendment did not define “recognized security practices” and left covered entities and business associates to interpret what would be appropriate for their organizations. So the RFI now solicits comments on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.
The RFI also solicits public comment on the types of harms that should be considered in the distribution of penalties and settlements to harmed individuals, potential methodologies for sharing monies with those harmed, and invites the public to submit alternative methodologies.
Who May Comment and How is it Done?
Anyone may comment.
“OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities and their business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.”
For more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more. Comments must be submitted by June 6, 2022 in order to be considered.