The Department of Health and Human Services wants to provide input on how healthcare organizations can implement security practices for health information privacy as they consider future rules and guidance.

a 30 questions request for information The Tuesday release also sought feedback on how HHS should define “harm” resulting from a violation of health privacy and how it should decide what types of incidents should result in financial compensation for individuals whose information was leaked.

HHS Must Consider Organizations Use of Cybersecurity Best Practices One Year Before Privacy Failure Health Information Portability and Accountability Act Violations as required by the 2021 law.

Congress authorized this to encourage HIPAA-bound healthcare organizations to adopt better security policies, even though they are not required by law to do so.

In preparing to implement the recent law, HHS sought information on what safety practices healthcare organizations implement and what standards they use to establish those practices. HHS also asked how healthcare entities ensure best practices are effective throughout their operations.

The HHS Office of Civil Rights needs to develop a method to determine how a portion of monetary settlements or fines for violations of HIPAA will be distributed to those affected. Under the law, HHS is supposed to penalize based on the extent of the violation and the amount of damage caused, but the statute doesn’t specify what constitutes “harm.”

Download the Modern Healthcare app to stay informed as industry news emerges.

Fines range from $100 to $50,000 per violation, with annual caps based on violations. The amount varies based on factors such as the degree of harm caused to the individual by the violation, and may be waived if the Office of Civil Rights determines that the penalty is disproportionate relative to the security failure.President Joe Biden FY 2023 Budget It is proposed to increase the HIPAA fine cap.

HHS seeks feedback on compensable damages under HIPAA. The department asked whether this should be limited to past injuries, or if the possibility of future injuries should be weighed. HHS sought feedback on whether only financial harm should be considered or whether emotional harm and other types of harm should be considered.

The department also asked for input on whether it should consider the release of other personal information, such as family members listed in medical records, as harm and whether those other parties should be eligible for settlements or penalty shares.

Furthermore, the law does not say how which portion of the fine or settlement should be allocated to the impaired patient. HHS asked whether there should be a minimum total fine before setting aside funds for distribution, whether it should take into account the compensation that other injured individuals may receive for the same violation, what factors the department should take into account when assessing how much they will receive, and more.

HHS will receive a response to its request within 60 days.