Responses to the OCR’s Request for Information



In April, we talked about a request for information issued by the OCR which closed on June 6th. Specifically, the OCR was looking for feedback on two requirements under the HITECH Act: “recognized security practices” and “civil money penalty and settlement sharing.”

The Connected Health Initiative (CHI) and the Medical Group Management Association (MGMA) both responded to the RFI with their thoughts and requests. Both organizations “urged HHS to provide clarity, best practices, and guidance” on the HITECH requirements as well as asking for flexibility and assistance for providers in meeting these requirements.

MGMA Response

MGMA pointed out the rapid increase in cybersecurity threats to healthcare organizations as evidence supporting the need for good data/systems protection. However, requiring specific security procedures of each provider may be impractical and could result in large financial and administrative burdens. MGMA requested that HHS work to “ensure that providers have the flexibility to adopt the security practices that are the most relevant to their organizations.” Ultimately, MGMA wants the decision on how to best protect themselves to remain in the hands of the provider.

They also asked that HHS create additional guidance and best practices to help providers know how to defend against cyber threats. Already, the HHS has announced the upcoming release of an educational video as part of this new guidance. The video is “intended to educate regulated entities on the categories of recognized security practices and how entities may demonstrate implementation.” The topics covered will include:

  • The 2021 HITECH Amendment regarding recognized security practices

  • How regulated entities can adequately demonstrate that recognized security practices are in place

  • How OCR is requesting evidence of recognized security practices

  • Resources for information about recognized security practices

  • OCR’s Request for Information on recognized security practices

CHI Response

While also requesting additional guidance on these topics, CHI called for health regulations to be updated and clarified, to “ensure an environment in which patients and consumers can see improvement in their health.” Essentially, CHI wants providers to be able to comply with security requirements without stalling progress in technology use that could be beneficial to patients.


Moving forward, it will be interesting to see which of the “gray” areas of HIPAA the OCR will choose to clarify, and what new language may be provided for policy and business associate agreement creation. If you have any questions, don’t hesitate to reach out to your team at Medcurity.