The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a request for information (RFI) on April 6 seeking input on implementing certain provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH, PL 116 -321, as amended in 2021) relating to cybersecurity practices and distribution of a portion of civil monetary penalties or monetary settlements to individuals harmed by a privacy or security breach.
The 2021 law requires the HHS to consider “recognized security practices” that covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA, PL 104-191) demonstrate were in place in the 12 months prior to a potential HIPAA violation when determining fines, audits, and remedies to resolve the violation. This RFI seeks to better understand the cybersecurity practices health care entities are implementing, the standards they use to establish them, and how they might adequately demonstrate that the practices were implemented over the relevant period. The OCR also asked for input on any additional information or clarifications the office should consider in developing future guidance or proposed regulations regarding its consideration of recognized security practices.
A separate provision of the HITECH Act requires the HHS to establish a methodology to distribute a percentage of a civil monetary penalty or monetary settlement collected as part of the OCR’s enforcement of the HIPAA rules to an individual harmed by the violation. The OCR is seeking feedback on how it might determine compensable harm and considerations for establishing the methodology for determining what portion should go to compromised individuals.
Regarding defining harm, the RFI asked whether to limit the definition of harm to economic harm and whether to recognize the release of other individuals’ information as compensable harm. As for the methodology, the OCR must base it on recommendations from the Government Accountability Office, which the OCR described in the RFI.
Comments are due June 6 and will be used to inform future agency guidance or rulemaking. The AAMC intends to comment.