View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

HHS/OCR RIN: 0945-AA04 Publication ID: Spring 2021 
Title: HIPAA Rules: Request for Information on Sharing Civil Money Penalties or Monetary Settlements With Harmed Individuals, and Recognized Security Practices Under HITECH 

This Request for Information (RFI) would solicit the public's views on establishing a methodology for the distribution of CMPs and monetary settlements to those harmed by an offense under the HIPAA Rules relating to privacy or security. It also would seek additional comment on modifying the HIPAA Privacy Rule as necessary to implement the accounting of disclosures provisions of the HITECH Act, sec. 13405(c). OCR plans to withdraw the Accounting of Disclosures NPRM that was issued in 2011 when a new NPRM on accounting of disclosures is issued.  The RFI also would seek comment on ways to implement in regulation the requirement for OCR to consider certain recognized security practices of covered entities and business associates when making certain HIPAA enforcement determinations.

Agency: Department of Health and Human Services(HHS)  Priority: Other Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Prerule Stage 
Major: No  Unfunded Mandates: No 
CFR Citation: 45 CFR 160    45 CFR 164   
Legal Authority: Social Security Act, sec. 1776 (42 U.S.C. 1320d-5) added by Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191, sec. 264 (August 21, 1996)    Health Information Technology for Economic and Clinical Health (HITECH) Act (title XIII of the American Recovery and Reinvestment Act of 2009)    Pub. L. 111-5, sec 13410(c)(3) and (4)    sec. 3412 as added by Pub. L. 116-321 (January 5, 2021)    42 U.S.C. 1320d-5, as amended   
Legal Deadline:
Action Source Description Date
Final  Statutory  The statutory deadline for issuing a rule on sharing of civil money penalties (CMPs) or monetary settlements was 2/17/2012.  02/17/2012 

Overall Description of Deadline: There is no statutory deadline on taking recognized security practices into account in HIPAA enforcement actions as the HITECH amendment does not require rulemaking. The statutory deadline for issuing a rule on accounting of disclosures is not later than 6 months after the Secretary adopts standards on accounting of disclosures as described in HITECH Act sec. 13101. Pub. L. 116-321 on taking recognized security practices into account in HIPAA enforcement actions does not require rulemaking.

Action Date FR Cite
NPRM  05/31/2011  76 FR 31426   
NPRM Comment Period End  08/01/2011 
RFI  11/00/2021 
Regulatory Flexibility Analysis Required: No  Government Levels Affected: Federal, Local, State, Tribal 
Small Entities Affected: No  Federalism: No 
Included in the Regulatory Plan: No 
RIN Information URL:  
RIN Data Printed in the FR: No 
Agency Contact:
Marissa Gordon-Nguyen
Senior Advisor for Health Information Privacy Policy
Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue SW,
Washington, DC 20201
Phone:800 368-1019
TDD Phone:800 537-7697