Senior Advisor for Health Information Privacy, Data, and Cybersecurity Policy

0945-AA04 202104 Unified Agenda of Federal Regulatory and Deregulatory Actions 0945 Office for Civil Rights OCR 0900 Department of Health and Human Services HHS HIPAA Rules: Request for Information on Sharing Civil Money Penalties or Monetary Settlements With Harmed Individuals, and Recognized Security Practices Under HITECH

This Request for Information (RFI) would solicit the public's views on establishing a methodology for the distribution of CMPs and monetary settlements to those harmed by an offense under the HIPAA Rules relating to privacy or security. It also would seek additional comment on modifying the HIPAA Privacy Rule as necessary to implement the accounting of disclosures provisions of the HITECH Act, sec. 13405(c). OCR plans to withdraw the Accounting of Disclosures NPRM that was issued in 2011 when a new NPRM on accounting of disclosures is issued. The RFI also would seek comment on ways to implement in regulation the requirement for OCR to consider certain recognized security practices of covered entities and business associates when making certain HIPAA enforcement determinations.

]]> Other Significant Previously Published in The Unified Agenda Prerule Stage No No 45 CFR 160 45 CFR 164 Social Security Act, sec. 1776 (42 U.S.C. 1320d-5) added by Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191, sec. 264 (August 21, 1996) Health Information Technology for Economic and Clinical Health (HITECH) Act (title XIII of the American Recovery and Reinvestment Act of 2009) Pub. L. 111-5, sec 13410(c)(3) and (4) sec. 3412 as added by Pub. L. 116-321 (January 5, 2021) 42 U.S.C. 1320d-5, as amended Statutory Final 02/17/2012 The statutory deadline for issuing a rule on sharing of civil money penalties (CMPs) or monetary settlements was 2/17/2012. There is no statutory deadline on taking recognized security practices into account in HIPAA enforcement actions as the HITECH amendment does not require rulemaking. The statutory deadline for issuing a rule on accounting of disclosures is not later than 6 months after the Secretary adopts standards on accounting of disclosures as described in HITECH Act sec. 13101. Pub. L. 116-321 on taking recognized security practices into account in HIPAA enforcement actions does not require rulemaking. No NPRM 05/31/2011 76 FR 31426 NPRM Comment Period End 08/01/2011 RFI 11/00/2021 No No Federal Local State Tribal No No www.hhs.gov/ocr/privacy No No Marissa Gordon-Nguyen Senior Advisor for Health Information Privacy, Data, and Cybersecurity Policy 0945 Office for Civil Rights OCR 800 368-1019 800 537-7697 ocrprivacy@hhs.gov 200 Independence Avenue SW, Washington DC 20201