In April 2022, the Department of Health and Human Services (HHS) released a Request for Information (RFI). An RFI allows an entity, like the government, to collect public feedback and answer any concerns. This RFI asks for input on the HIPAA HITECH Act. HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients.
Understanding HIPAA and its intricacies are vital for any organization that works with patients’ protected health information (PHI) and has email security concerns. This includes the HITECH Act’s emphasis on strong cybersecurity measures, such as HIPAA compliant email.
By putting out an RFI request, HHS demonstrates its support of organizations exploring how to be HIPAA compliant.
HITECH promotes the adoption and meaningful use of electronic health records (EHR) and cybersecurity measures. The act set aside funds to create a nationwide EHR network, offering monetary incentives to healthcare organizations that adopt new technologies.
Organizations that want federal funds must demonstrate that they achieved the minimum core objectives and are compliant with the HIPAA Privacy and Security rules. Recent studies support the idea that the growth in EHR use is attributable to HITECH. Before HITECH, few hospitals utilized EHRs because of prohibitive costs.
HITECH also added further guidelines and rules regarding the HHS’ Office for Civil Rights (OCR) and HIPAA violations. For one thing, it helped create tougher penalties under a four-tiered system. The tiers separate organizations into those unaware from those that willfully neglect and make no effort to fix a violation. It set the maximum penalty to $1.5 million for all violations. Moreover, HHS could retain a proportion of the funds for its enforcement efforts and distribute it to individuals affected by breaches.
Beyond this, HITECH also gave business associates a contractual obligation to comply with HIPAA. Furthermore, it helped set up OCR’s Breach Notification Portal (commonly known as the Wall of Shame) to announce large breaches.
A 2021 amendment provides further incentives to covered entities that adopt “recognized cybersecurity practices” when developing monitoring and auditing procedures and setting risk management and security policies.
Such practices must be consistent with the HIPAA Security Rule but must also adhere to one of the following:
One such incentive redetermines how HHS sets fines should a data breach occur. It allows for leniency to healthcare organizations that prove their compliance to specific cybersecurity practices for at least one year prior.
The RFI first asks how the industry understands and implements “recognized security practices” under the HIPAA HITECH Act. Through this, OCR wants to determine and anticipate how organizations demonstrate recognized security practices in order to direct its determinations regarding fines, audits, and remedies when resolving HIPAA violations.
OCR also wants to learn more about implementation issues by clarifying what:
The idea is to help OCR shape its interpretation of HITECH so that it is practical to the risks faced by healthcare organizations.
The RFI also asks for input on how impacted (i.e., harmed) individuals receive compensation. The key to this part is asking for feedback on the term harm as well as the methodologies for sharing and distributing money.
The focus of this section includes such questions as:
At this time, OCR is considering three potential distribution models. These are on a case-by-case basis, fixed or calculated by a formula, or a combination of both.
I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rule-making and guidance.HHS will accept comments until June 6 through two different methods:
More information about the RFI can be found at https://www.regulations.gov/ under Docket ID HHS-OCR-0945-AA04.