Healthcare Groups Seek OCR For HITECH Cybersecurity Clarity


The US Department of Health and Human Services’ Office for Civil Rights issued a request for comments earlier this spring regarding the cybersecurity rules and financial fines mandated under the Health Information Technology for Economic and Clinical Health Act.

The 2009 HITECH Act, which was revised in 2021, wasn’t simply the driving force behind federal EHR incentives that fueled massive adoption of health IT across the United States. The newly amended law also includes a number of privacy and security-related norms and restrictions. The Office of the Comptroller of the Currency is interested in how covered businesses are dealing with two of them: Certified Security Protocols and Civil Monetary Penalties and Settlement Cooperation.

Its request for information is intended to assist officials in better supporting the healthcare industry’s effective implementation of privacy and security policies, as well as navigating its actions to achieve that revenue raised through the agency’s enforcement actions is distributed to individuals harmed by HIPAA violations in the most effective way possible.

The aim is to find out what explanations OCR needs to provide to help regulatory agencies remain compliant with the HITECH Act revision of 2021, Public Law 116-321, and, more broadly, to inspire healthcare systems and their business contacts to do all in their power to protect patient information, according to officials. Several industry organisations have responded to the agency’s request for feedback.

While applauding OCR’s approach, HIMSS advised the agency to implement policies that restrict enforcement authority to scenarios involving the use of security practises as long as that discretion is limited to protecting electronic protected health information and not to other areas covered by HIPAA. According to HIMSS, OCR should distinguish between establishing that a check is in place and carefully describing how the check is implemented when it comes to safety measures. The group also suggested that OCR set aside some fines to help finance and disseminate educational materials and resources to covered entities and business associates, in order to promote a learning culture that ensures all organisations have the resources and knowledge to prevent or mitigate bad actor attacks.

Meanwhile, the Medical Group Management Association made many recommendations for OCR. It asked HHS to proceed to acknowledge the broad legal definition of the term “recognized security practice” to ensure physicians have the flexibility to implement security programmes based on their magnitude, depth, infrastructural facilities, and the cost of the security protocols, as there are massive differences in the technical and financial capabilities of medical groups, citing the unique needs of ambulatory practises.

Sample frameworks or simple checklists, according to the MGMA, could help medical group IT administrators comprehend real-world approaches to cybersecurity and apply best practises and policies for patient privacy. The organisation also requested that OCR harmonise its security guidelines with other regulations, such as the ONC’s information blocking rules, in order to eliminate doctor misunderstanding.

The Connected Health Initiative, for its part, made three primary recommendations. No information is more private to Americans than their own health information, it said, urging OCR to remember. It provided figures to demonstrate this, saying that 1,473 health data intrusions affecting 500 or more people have happened since HITECH began requiring breach notification in 2009.

CHI also requested that the agency prioritise up-to-date and unambiguous information on HIPAA duties, which is vital, particularly given the significant changes that have occurred in the field over the last 13 years. Regulation relief, or at the very least further direction, CHI officials noted, is required to resolve the use of new creative methods and software app-powered products and services that ease the flow of PHI.

With advancements in other key government regulatory contexts to promote the adoption and use of digital health tools (e.g., new Medicare coverage for the use of novel remote patient monitoring tools), OCR’s attempts to reform the HIPAA rules could not come at a more critical time. CHI also argued that the HIPAA Privacy Rule should not be changed to mandate disclosures for any new purposes other than to the person when the person exercises his or her right of entry under the Rule, or to HHS for purposes of HIPAA Rules enforcement.

It contends that such adjustments aren’t necessary because they would impose undue costs on covered businesses and business partners and weaken the privacy protections for individuals’ PHI.