Request for Information (RFI) on Recognized Security Practices and Sharing Civil Money Penalties and Monetary Settlements with Harmed Individuals Under the HITECH Act

On April 6, 2022, OCR released a RFI seeking input from the public on two requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021.  OCR is seeking public comment on the following provisions of law:

• Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit.  Public Law 116-321 went into effect when it was signed into law on January 5, 2021.

  One of the primary goals of this provision is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”   

  To achieve this goal, Congress sought to “[incentivize] healthcare entities to adopt strong cybersecurity practices by encouraging the Secretary of HHS to consider entities' adoption of recognized security practices when conducting audits or administering HIPAA fines." The statute requires OCR to take into consideration in certain Security Rule enforcement and audit activities where a covered entity or business associate has adequately demonstrated that recognized security practices were “in place” for the prior 12 months. 

• Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a violation of the HIPAA Privacy, Security, or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense.

  Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term. The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.

OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities and their business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.

Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more:

• View the RFI in the Federal Register
• View the RFI Press Release
• View the GAO Letter on Models for the Distribution of Civil Money Penalties

Please note that comments must be submitted by June 06, 2022 in order to be considered.

###