Not long ago, HHS’ OCR posted a request for information (RFI). It urged healthcare organizations to share their thoughts on financial penalties for HIPAA violations and the HITECH Recognized Security Practices. The receiving of comments is now over, and OCR has gained the first feedback. The organizations that came forward were HIMSS, MGMA, and the Connected Health Initiative.
What Stimulated Providing the Feedback on the HITECH Recognized Security Practices?
This year, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) encouraged healthcare organizations to share their opinions on cybersecurity regulations and fines determined by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HITECH Act came into force in 2009 but changed in 2021. The law was more than the primary stimulus for federal electronic health records (EHR) promotion that helped spread widely informational technologies in the US medical sphere. It complemented the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and filled its gaps, enforcing HIPAA compliance. Recently updated legislation also involves a range of policies and regulations concerning confidentiality and security.
So, calling upon public comments, the Office for Civil Rights (OCR) took an interest in how individuals regulate Recognized Security Practices, Civil Money Penalties, and Settlement Sharing. RFI aimed to maintain the implementation of best privacy and security practices. It also had a goal to help manage efforts to provide an efficient revenue to individuals suffering from HIPAA violations using costs collected while the agency’s coercive measures.
The primary purpose is to understand what explanations the Office for Civil Rights (OCR) should provide to help covered entities (CEs) be aware and keep up with the new 2021 HITECH Act alterations. Also, the aim is to urge health systems and their business associates (BAs) to do their best to protect patients’ privacy and security.
Organizations that Commented on the HITECH Recognized Security Practices
So, a few healthcare organizations responded to the HHS Office for Civil Rights (OCR) request for the information (RFI). Also, they provided their opinion on the HITECH recognized security practices and fines.
HIMSS
In its letter, the company highlighted the necessity to create an integrated approach to cybersecurity and patients’ confidentiality, as the HITECH-recognized security practices have shown. Approving the Office of Civil Rights (OCR) approach, HIMSS advised the office to carry out policies that provide freedom of action. But it only concerns situations connected to the best practices. Therefore, the action release applies to electronic health records (EHR) protection but not other HIPAA-covered spheres.
According to the HIMSS, when it comes to security practices, OCR must also delineate control availability approvement and the narrow definition of how it is implemented. The entity also guided OCR to single out some assembled penalties to help sponsor and disseminate training materials and other resources to cover entities (CEs) and business associates (BAs) to promote education culture development. This advice aims to supply all organizations with the necessary knowledge and materials to avoid or soften cyberattacks.
MGMA
The Medical Group Management Association (MGMA) addressed a message to OCR with several remarks. Stressing the individual requirements in ambulatory practices, MGMA urged the office to put flexibility first. Also, it asked OCR to continue accepting a broad legal definition of “recognized security practices”. This advice aims to provide flexibility for doctors in recognized security practices implementation. And it should conform according to the volume, complexity, infrastructure, and price of practices. It is because healthcare organizations of various sizes differ a lot in their technical and financial capabilities.
MGMA supposed that framework templates or easy understanding control lists could help healthcare organizations’ IT leaders realize accurate cybersecurity approaches. It also could help them implement the best patient security policies and practices. And finally, the medical group asked the Office for Civil Rights (OCR) to lower the mix-up among doctors. In addition, OCR should coordinate its security regulations with other safeguards, such as ONC’s information-blocking rules.
CHI
The Connected Health Initiative (CHI) also joined the healthcare companies to provide feedback. It offered three leading suggestions. To emphasize the relevance of its comment, the organization provided statistical data. It showed that since HITECH began demanding breach reports 13 years ago, almost 1.5K healthcare data breaches affected more than 500 individuals.
CHI addressed the OCR to put the updated and specific information about HIPAA obligations in the first place. It mainly concerns changes that appeared after the initial HITECH Act implementation. Safeguards facilitations or at least additional guidelines for resolving the issue of modern methods, goods, and services based on program applications that ease the flow of PHI are needed.
CHI also pointed out that HIPAA Privacy Rule hasn’t to be reviewed to demand information disclosure for any extra goals. But it doesn’t appeal to situations when an individual implements their right of access accordingly to the Privacy Rule. It also doesn’t apply when the Department of HHS aims to enforce both HIPAA Privacy and Security Rules.
So, CHI states that such reviews are unnecessary. They will create an additional burden for CEs and BAs and make the individuals’ confidentiality protection less effective.
Check our latest news to know about recent events and trends in the HIPAA and cybersecurity spheres!
