The Health and Human Services Department wants input on how healthcare organizations implement security practices for health information privacy as it considers future rules and guidance.
A 30-question information request issued Tuesday also solicits feedback on how HHS should define "harm" that results from health privacy violations and how it should decide what types of incidents should result financial compensation to individuals whose information was compromised.
HHS has to consider an organization's use of cybersecurity best practices for a year prior to a privacy failure when levying fines for Health Information Portability and Accountability Act violations, as required by a 2021 law.
Congress mandated this to encourage healthcare organizations subject to HIPAA to adopt the better security policies, although they aren't legally required to do so.
In preparation for implementing the recent law, HHS seeks information about what security practices healthcare organizations have in place and what standards they use to establish them. HHS also asks how healthcare entities ensure best practices are in force throughout their operations.
The HHS Office of Civil Rights is required to establish a method for determining how to distribute portions of monetary settlements or fines for HIPAA violations to the people affected. Under the law, HHS is supposed to base penalties on the extent of the violations and on how much damage they caused, but the statute doesn't specify what constitutes "harm."
Fines range from $100 to $50,000 per violation, with annual caps scaled to the circumstances of violations. The amount varies based on factors including how much harm the violation caused an individual, and the Office of Civil Rights can waive penalties if it determines they would be excessive relative to the security failure. President Joe Biden's fiscal 2023 budget proposes raising the cap on HIPAA fines.
HHS seeks feedback on what counts as compensable harm under HIPAA. The department asks whether that should be limited to past harms or if the potential for future harm should be weighed. HHS seeks feedback on whether only economic harms should be considered, or if emotional damage and other types of injury should be factors.
The department also requests viewpoints on whether it should recognize the release of other individuals' information, such family members named in a medical records, as harm and whether those other parties should be eligible for shares of settlements or fines.
Additionally, the law doesn't say how what portion of fines or settlements should go to compromised patients. HHS asks whether there should be a minimum total penalty before it sets aside money for distribution, whether it should consider other compensation harmed individuals may have received for the same violations, what factors the department should consider in assessing how much they would receive and more.
HHS will accept responses to its request for 60 days.