The OCR is Seeking Public Comment on Two Requirements from the HITECH Act



Earlier this month the Office for Civil Rights (OCR) released a Request for Information (RFI) looking for comments from the public on two requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009.

As we heard from OCR director Lisa J Pino, the healthcare industry in the US is becoming increasingly targeted by cyberattacks. As the number of attacks rises, the strategies used by cybercriminals are also becoming more sophisticated

 Because of this, the OCR is continuing to urge healthcare providers and their business associates to keep patient data safe by putting greater security protections in place. As these additional safeguards are implemented, the OCR is asking for feedback to help them support the efforts of providers and business associates. In addition, these comments should help the OCR to “consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.”

All healthcare providers and their business associates are encouraged by the OCR to respond to this RFI before submissions close on June 6, as well as patients and families, health IT vendors, and other organizations.

There are two requirements from the HITECH Act under review:

1. Recognized Security Practices

After an investigation or audit, the HITECH Act “requires HHS to take into consideration certain recognized security practices” of providers and business associates before deciding on an amount to fine the organization for a HIPAA breach. This requirement was put in place to incentivise healthcare professionals to make the best efforts they could to protect patient data. Now the OCR wants to hear about how these “recognized security practices” are being implemented, and what evidence providers would be able to readily produce of their current cybersecurity efforts.

2. Civil Monetary Penalty and Settlement Sharing

When a monetary penalty or settlement is paid to the OCR after a breach, the OCR may be required to distribute a portion of that amount to any individual harmed by a violation. The percentage of money collected that is given varies depending on how compromising the data breach was and how harmful to the individual. The RFI lays out the current methods for this distribution, and invites parties to share alternative suggestions for what is considered “harm” to an individual.


If you would like to submit comments to the OCR on either of these requirements, you can go here to learn more. As always, our team at Medcurity is here to support you in all things HIPAA and compliance related. You can contact our team here