HHS’s Workplace for Civil Rights (OCR) has issued a request for data (RFI) searching for public feedback on two provisions of the Well being Info Expertise for Financial and Medical Well being Act (HITECH Act): the impact of acknowledged safety practices, and sharing of penalty and settlement quantities with harmed people. OCR is chargeable for administering and implementing HIPAA’s privateness, safety, and breach notification provisions. Feedback have to be submitted by June 6, 2022. Listed below are highlights of the RFI:
-
Acknowledged Safety Practices. A 2021 HITECH Act modification requires OCR to think about in safety rule enforcement and audit actions whether or not a coated entity or enterprise affiliate has adequately demonstrated that “acknowledged safety practices” have been in place for the prior 12 months. In making use of this provision, OCR notes that it’ll think about solely practices that the coated entity or enterprise affiliate demonstrates have been totally carried out, that means that the practices have been actively and persistently in use over the related interval. Feedback are requested on the forms of practices that coated entities and enterprise associates have adopted, and the way they be certain that these practices have been carried out all through the enterprise and have been actively and persistently used over a 12-month interval.
-
Penalties and Settlements. The HITECH Act considerably elevated the civil financial penalties for HIPAA violations (see our Checkpoint article). The legislation requires HHS to difficulty rules establishing a technique underneath which a proportion of any civil financial penalty or settlement collected with respect to a violation of the privateness, safety, or breach notification guidelines could also be distributed to people harmed by the violation. Penalty determinations have to be primarily based on the character and extent of violations and ensuing hurt, however the HITECH Act doesn’t outline “hurt” or record standards to help in defining the time period. HHS has recognized a nonexhaustive record of the forms of hurt that could be thought of aggravating components in figuring out penalties: bodily, monetary, reputational, and impaired capacity to acquire well being care. The RFI seeks feedback on, amongst different issues, (1) the forms of hurt to be thought of in distributing civil financial penalties or settlement proceeds to harmed people (which can differ from the forms of hurt used to find out penalty quantities), (2) potential strategies for allocating proceeds to harmed people, together with public coverage objectives in choosing a technique, (3) identification of harmed people, (4) discount of distributions for people who’re compensated via different mechanisms, and (5) minimal or most percentages or quantities put aside for distribution.
EBIA Remark: Laws on sharing proceeds of HIPAA civil financial penalties and settlements are greater than 10 years overdue. The delay is probably going attributable to the thorny points concerned in implementing a distribution technique, as recommended by the matters listed within the RFI. Though OCR’s civil financial penalties and settlement quantities could also be massive within the combination, they are often fairly small per capita when a violation impacts 1000’s and even tens of millions of people. For instance, the Anthem breach resulted in a $16 million settlement for a breach affecting 79 million people (see our Checkpoint article). In such circumstances, it might be impractical to distribute a proportion of the settlement proceeds to each affected particular person. For extra data, see HIPAA’s Portability, Privateness & Safety handbook at Sections XX (“Enforcement of Privateness, Safety, and EDI Guidelines”) and XXIX.E (“Creating Your Safety Program”).
Contributing Editors: EBIA Workers.
