The medical privacy and security community will soon have the chance to weigh in on a new request for information (RFI) that does double duty for the HHS Office for Civil Rights (OCR)—it solicits input on ways to share penalties with individuals affected by HIPAA breaches and seeks feedback on how to incorporate recognized security practices into enforcement determinations.
OCR’s RFI has been under review by the Office of Management and Budget (OMB) since Jan. 27.[1] Also called an advance notice of proposed rulemaking (ANPRM), the RFI is an initial step in the federal rulemaking process that agencies generally skip unless they need insights from the entities to be regulated, in this case covered entities and business associates.
Moving forward from an ANPRM to a notice of proposed rulemaking (NPRM) is among a trio of significant HIPAA-related tasks new OCR Director Lisa Pino has inherited. Other efforts are finalizing the NPRM and making significant revisions to the privacy rule. This was issued with the approval of the current administration though drafted by the previous one—leading some to speculate the final rule may not be changed much.