The AAMC submitted comments on June 6 to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) regarding its request for information on implementing certain provisions of the Health Information Technology for Economic and Clinical Health (HITECH, PL 116- 321, as amended in 2021) Act [refer to Washington Highlights, Apr. 8].
Regarding questions specific to implementing OCR consideration of an entity’s security practices in place at the time of a potential Health Insurance Portability and Accountability Act of 1996 (HIPAA, PL 104-191) violation, the AAMC’s comments urged the agency to broadly recognize security practices within the statutory definition. “The Act defines the term in a carefully calibrated manner to remain broad while still providing sufficient clarity for regulated entities to understand the parameters of the term.” In addition, when considering whether such recognized security practices were “in place” prior to a potential violation, the AAMC’s letter recommended that the “OCR take into consideration all recognized security practices to the extent that they have been implemented, rather than adopt an all -or-nothing view.” This would set a standard based on compliance best practices.
Finally, regarding the implementation of a method to distribute a percentage of any civil monetary penalty or monetary settlement to individuals harmed by a HIPAA violation, the AAMC’s letter recommended the OCR ensure its methodology reflect its primary focus as a regulatory agency, rather than a judicial body more suited to distributing compensation after a finding of harm. To that end, the AAMC’s comments suggested the OCR “limit award distributions to situations where there is a sufficiently large total settlement amount and clear economic harm and adopt a distribution methodology that is simple and efficient.”