In April 2022, the Department of Health and Human Services (HHS) released a Request for Information (RFI). An RFI allows an entity, like the government, to collect public feedback and answer any concerns. This RFI asks for input on the HIPAA HITECH Act.
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients. Understanding HIPAA and its intricacies are vital for any organization that works with patients’ protected health information (PHI) and has email security concerns. This includes the HITECH Act’s emphasis on strong cybersecurity measures, such as HIPAA compliant email.
By putting out an RFI request, HHS demonstrates its support of organizations exploring how to be HIPAA compliant.
What is the HIPAA HITECH Act?
The HIPAA HITECH Act is the Health Information Technology for Economic and Clinical Health Act of 2009. HITECH establishes federal standards on the security of PHI through two general initiatives.
Technology adoption of EHRs and cybersecurity
HITECH promotes the adoption and meaningful use of electronic health records (EHR) and cybersecurity measures. The act set aside funds to create a nationwide EHR network, offering monetary incentives to healthcare organizations that adopt new technologies. Organizations that want federal funds must demonstrate that they achieved the minimum core objectives and are compliant with the HIPAA Privacy and Security rules.
Recent studies support the idea that the growth in EHR use is attributable to HITECH. Before HITECH, few hospitals utilized EHRs because of prohibitive costs.
Further OCR support for those impacted by HIPAA violations
HITECH also added further guidelines and rules regarding the HHS’ Office for Civil Rights (OCR) and HIPAA violations. For one thing, it helped create tougher penalties under a four-tiered system. The tiers separate organizations into those unaware from those that willfully neglect and make no effort to fix a violation. It set the maximum penalty to $1.5 million for all violations. Moreover, HHS could retain a proportion of the funds for its enforcement efforts and distribute it to individuals affected by breaches.
Beyond this, HITECH also gave business associates a contractual obligation to comply with HIPAA. Furthermore, it helped set up OCR’s Breach Notification Portal (commonly known as the Wall of Shame) to announce large breaches.
2021 HITECH amendment
A 2021 amendment provides further incentives to covered entities that adopt “recognized cybersecurity practices” when developing monitoring and auditing procedures and setting risk management and security policies. Such practices must be consistent with the HIPAA Security Rule but must also adhere to one of the following:
- The National Institute of Standards and Technology (NIST) Act, section 2(c)(15)
- The Cybersecurity Act of 2015, section 405(d)
- Other programs and processes developed, recognized, or promulgated through regulations under other statutory authorities
One such incentive redetermines how HHS sets fines should a data breach occur. It allows for leniency to healthcare organizations that prove their compliance to specific cybersecurity practices for at least one year prior.
The focus of the HITECH Act RFI
According to the RFI, HHS and OCR issued the request to solicit public comment on two facets of the HITECH Act: recognized security practices and the distribution of monetary penalties to harmed individuals.
As cyber threats increase, HHS wants to better support healthcare organizations as well as the individuals affected by HIPAA violations.
Recognized HIPAA security practices
The RFI first asks how the industry understands and implements “recognized security practices” under the HIPAA HITECH Act. Through this, OCR wants to determine and anticipate how organizations demonstrate recognized security practices in order to direct its determinations regarding fines, audits, and remedies when resolving HIPAA violations.
OCR also wants to learn more about implementation issues by clarifying what:
- Practices are being implemented
- Standards are used to decide on the practices
- Steps are being taken to ensure the practices are in place
- Steps are being taken to ensure consistent use of practices for 12 months
The idea is to help OCR shape its interpretation of HITECH so that it is practical to the risks faced by healthcare organizations.
Compensation after a HIPAA violation
The RFI also asks for input on how impacted (i.e., harmed) individuals receive compensation. The key to this part is asking for feedback on the term harm as well as the methodologies for sharing and distributing money.
The focus of this section includes such questions as:
- What constitutes harm after a HIPAA violation?
- What type of harm should HHS consider?
- How should HHS identify harmed individuals? Notify them?
- What methodologies should HHS use to share and distribute penalties?
At this time, OCR is considering three potential distribution models. These are on a case-by-case basis, fixed or calculated by a formula, or a combination of both.
Submitting a comment
The RFI comes as cyberattacks increase along with OCR’s enforcement of HIPAA. OCR encourages patients and their families, covered entities and business associates, consumer advocates, healthcare professional associates, health information management professionals, health IT vendors, and government entities for feedback.
In a statement about the RFI, OCR Director Lisa J. Pino adds:
I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rule-making and guidance.
HHS will accept comments until June 6 through two different methods:
- Search the Federal eRulemaking portal for Docket ID HHS-OCR-0945-AA04 and follow the instructions. Attachments must be Microsoft Word or PDF.
- Mail to HHS using regular, express, or overnight mail; Attention: HITECH Act Recognized Security Practices Request for Information, RIN 0945-AA04, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW, Washington, DC 20201.
More information about the RFI can be found at https://www.regulations.gov/ under Docket ID HHS-OCR-0945-AA04.