The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) called for the Department of Health and Human Services (HHS) to distribute a percentage of civil monetary penalties (CMPS) and settlements for HIPAA violations to be distributed to individuals who have been harmed by the HIPAA violations that warranted the penalties.
Last year, the HITECH Act was amended to include a HIPAA Safe Harbor for HIPAA-regulated entities that experienced a data breach despite having implemented “recognized security practices” for at least 12 months prior to the data breach occurring. The HIPAA Safe Harbor Act requires OCR to consider those measures when determining penalties and other remedies to resolve HIPAA violations, with those entities also facing less scrutiny by OCR in investigations and audits if they have implemented industry-standard security practices.
The HHS is now addressing these two outstanding requirements of the HITECH Act and has published a Request for Information in the Federal Register seeking comment from the public, HIPAA-regulated entities, and industry stakeholders on those requirements.
Recognized security practices are defined by the National Institute of Standards and Technology (NIST) as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act,” and “the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015. While HIPAA-regulated entities are not required to implement recognized security practices, security practices must be implemented that are consistent with the HIPAA Security Rule.
OCR wants to understand how HIPAA-regulated entities are implementing recognized security practices, how they anticipate adequately demonstrating that recognized security practices are in place, what action should signal the start of the 12-month look-back period, and any implementation issues that should be considered by OCR and need to be addressed through rulemaking or guidance.
Regarding the distribution of a percentage of CMPs and settlements, OCR wants to know what harms should be considered that would qualify individuals to receive a percentage of the monies, as those harms are not specified in the HITECH Act. OCR also requests suggestions on a methodology for sharing and distributing those funds. The RFI can be viewed here, and comments are being accepted until June 6, 2022.
“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”