HIMSS Delivers Cybersecurity Practice Comments to HHS Office for Civil Rights

HIMSS has provided written comments to The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) regarding the Health Information Technology for Economic and Clinical Health (HITECH) Act around cybersecurity practices.

OCR solicited public comment on certain provisions of the HITECH Act to help determine what information or clarifications it needs to provide to help regulated entities understand the application of Public Law 116-321.

HIMSS’s recently updated Public Policy Principles highlights the importance of a unified approach to health cybersecurity and information privacy, a pillar reflected in the HITECH Security Practices Amendments in Public Law 116-321.

For nearly 30 years, HIMSS has demonstrated its commitment to educating the healthcare community on preparation and mitigation of privacy, security and cybersecurity threats. The HIMSS Cybersecurity Guide provides a practical starting point on current threats, best practices, and other important preparedness topics. The Cybersecurity Guide is continually informed by the HIMSS Healthcare Cybersecurity Survey Report, an annual survey of industry leaders and frontline cybersecurity professionals.

 HIMSS applauds the work of OCR and provides the following recommendations.

• HIMSS recommends OCR implement policies that only afford enforcement discretion to situations involving use of security best practices as that discretion applies to safeguarding electronic protected health information (PHI) and not to other areas that are within the scope of HIPAA.

• HIMSS recommends OCR align its work with other federal agencies to improve best practices for healthcare.

• HIMSS recommends OCR distinguish between confirming that a control is in place and narrowly defining how the control is implemented.

• HIMSS recommends OCR embrace the culture of learning to ensure all organizations have the knowledge and resources to prevent or mitigate attacks from bad actors. HIMSS suggests that a more impactful use of collected fines and OCR’s resources would be in the creation and distribution of educational materials and additional resources for covered entities, business associates and others.

HIMSS looks forward to the opportunity to be a resource for OCR on innovative, forward-thinking steps to educate the public around cybersecurity practices and data privacy.

Read the full letter.