On April 6, OCR published a Request for Information (RFI) seeking input from the public on two requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021. These two requirements are:
- Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit.
- Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense.
For more information on the HITECH RFI and how to submit a public comment, visit here
Privacy Rule NPRM
On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support individuals' engagement in their health care, remove barriers to coordinated care, and decrease regulatory burdens on the health care industry, while continuing to protect individuals' health information privacy interests.
For more information on the Privacy Rule NPRM, visit here