Earlier this spring, the Office for Civil Rights in the U.S. Department of Health and Human Services put out a call for comments about the cybersecurity provisions and monetary penalties stipulated by the Health Information Technology for Economic and Clinical Health Act.
The 2009 HITECH Act, which was amended in 2021, wasn’t just the primary driver of federal EHR incentives that enabled enormous uptake of health IT across the U.S. The newly-updated law also has a series of rules and regulations around privacy and security.
OCR is interested in how covered entities are managing with two of them – Recognized Security Practices and Civil Money Penalty and Settlement Sharing.
Its request for information is meant to help officials better support the healthcare industry’s implementation of best practices for privacy and security and also help guide its efforts to ensure that funds collected through the agency’s enforcement actions are disbursed to most effectively individuals harmed by HIPAA violations.
The goal is to find out what clarifications OCR should provide to help regulated entities understand and comply with the 2021 HITECH Act revision, Public Law 116-321, and, more generally, to further encourage health systems and their business associates to do “everything in their power to safeguard patient data,” officials said.
Several industry groups have weighed in with their responses to the agency’s call for feedback.
HIMSS (parent company of Healthcare IT News), which recently updated its Public Policy Principles, emphasized the need for a unified approach to cybersecurity and patient privacy, as reflected in the HITECH Security Practices amendments.
While applauding OCR’s approach, HIMSS recommended the agency “implement policies that only afford enforcement discretion to situations involving use of security best practices as that discretion applies to safeguarding electronic protected health information and not to other areas that are within the scope of HIPAA.”
When it comes to security practices, OCR should also “distinguish between confirming that a control is in place and narrowly defining how the control is implemented,” according to HIMSS.
The organization also suggested OCR should earmark some collected fines to help fund and distribute educational materials and other resources for covered entities and business associates, to help further a “culture of learning to ensure all organizations have the knowledge and resources to prevent or mitigate attacks from bad actors.”
Read HIMSS’ full letter here.
The Medical Group Management Association, meanwhile, had several recommendations of its own for OCR.
Pointing to the unique needs of ambulatory practices, it called on the agency to prioritize flexibility, and asked that HHS “continue to recognize the broad statutory definition of the term ‘recognized security practice’ to ensure physicians have the flexibility to implement security programs based on practice size, complexity, infrastructure, and the costs of the security measures, as there are vast differences in the technical and financial capabilities of medical groups of varied sizes.”
MGMA also suggested that sample frameworks or easy-to-understand checklists could help medical group IT leaders understand “real-world approaches” to cybersecurity and help them implement best practices and policies for patient privacy.
The group also asked that OCR could reduce confusion for physicians by better harmonizing its security rules with other regulations such as ONC’s information blocking rules.
Read MGMA’s full letter here.
For its part, the Connected Health Initiative offered three main suggestions. It called on OCR to remember that “no data is more personal to Americans than their own health data.”
To highlight that, it offered statistics – noting that, since HITECH first started requiring breach reporting in 2009, some 1,473 health data breaches affecting 500 or more people have occurred.
CHI also asked the agency to prioritize “up-to-date and clear information about obligations under HIPAA is critical,” especially the many changes that have taken place across the industry over the past 13 years.
“Regulatory relief, or, at minimum, more guidance, is needed to address the use of new innovative modalities and software app-powered products and services that facilitate the flow of PHI,” said CHI officials.
“With advances in other key federal regulatory contexts to advance the uptake and use of digital health tools (e.g., new Medicare reimbursement for the use of innovative remote patient monitoring tools), OCR’s efforts to improve the HIPAA rules could not come at a more vital moment.”
CHI also made its case that the HIPAA Privacy Rule “should not be revised to require disclosures for any additional purposes besides to the individual when the individual exercises his/her right of access under the Rule, or to HHS for purposes of enforcement of the HIPAA Rules.”
Such revisions aren’t necessary, it argued, would pose undue burdens on covered entities and business associates and “would lessen the protections for the privacy of individuals’ PHI.”