The Office for Civil Rights (OCR) released a request for information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the Health Information Technology for Economic and Clinical Health (HITECH) Act. It also is seeking public input on sharing funds collected through enforcement with individuals who are harmed via Health Insurance Portability and Accountability Act (HIPAA) violations.
OCR’s request for comment on the HITECH Act’s provision regarding “recognized security practices” represents an effort to recognize the work many covered entities are performing to bolster their cybersecurity by adopting of best practices and adhering to the National Institute of Standards and Technology and other industry standards, writes partner Reece Hirsch. However, it remains to be seen how much OCR takes recognized security practices into account to reduce penalties or forgo enforcement actions.
“The RFI is a bit of a double-edged sword. The focus on recognized security practices suggests a more even-handed, covered entity-friendly approach to HIPAA enforcement,” Reece notes. “On the other hand, the focus on civil monetary penalties and settlement-sharing and the creation of a HIPAA whistleblower mechanism could lead to a spike in HIPAA enforcement activity.”
Subscription may be required.