The medical privacy and security community will soon have the chance to weigh in on a new request for information (RFI) that does double duty for the HHS Office for Civil Rights (OCR)—it solicits input on ways to share penalties with individuals affected by HIPAA breaches and seeks feedback on how to incorporate recognized security practices into enforcement determinations.
OCR’s RFI has been under review by the Office of Management and Budget (OMB) since Jan. 27.[1] Also called an advance notice of proposed rulemaking (ANPRM), the RFI is an initial step in the federal rulemaking process that agencies generally skip unless they need insights from the entities to be regulated, in this case covered entities and business associates.
Moving forward from an ANPRM to a notice of proposed rulemaking (NPRM) is among a trio of significant HIPAA-related tasks new OCR Director Lisa Pino has inherited. Other efforts are finalizing the NPRM and making significant revisions to the privacy rule.[2] This was issued with the approval of the current administration though drafted by the previous one—leading some to speculate the final rule may not be changed much.
But in her first public remarks about health care privacy and security, delivered at the recent national HIPAA conference,[3] Pino provided no hints either way. In fact, despite some gentle prodding from Adam Greene, an attorney and former OCR regulator, Pino declined to address the status of a number of regulatory projects other OCR officials have said in the recent past were underway.
Due to the pandemic, the HIPAA summit switched to a virtual format, with many speakers prerecording their sessions and not taking questions from the online audience. Pino’s prerecorded portion of her March 1 speech spanned about 19 of the 45-minute presentation during which she reviewed recent OCR guidance documents. For the remainder of the presentation, Pino took questions from Greene, a partner with Davis Wright Tremaine LLP.
Much of Pino’s comments echoed a blog post she authored that HHS had posted the previous day, which called on “covered entities and business associates to strengthen your organization’s cyber posture in 2022.”[4]