The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR Plans to Share HIPAA Violation Settlements with Breach Victims

Posted By on May 23, 2018

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 and includes a provision that calls for the Department of Health and Human Services to share a percentage of HIPAA settlements with victims of HIPAA violations and data breaches.

This month has seen some progress in that area. The Department of Health and Human Services’ Office for Civil Rights has announced it is planning on issuing an advance notice of proposed rulemaking in November about sharing a percentage of the fines it collects through its HIPAA enforcement activities with the victims of data breaches.

OCR officials have previously made it clear that steps will be taken to meet the requirements of this HITECH provision, but little progress has been made. This is not the first time that OCR has announced it plans to issue an advance notice of proposed rulemaking on the matter only for the advance notice of proposed rulemaking to be delayed.

If OCR follows through on its plans this fall, feedback will be sought from the public and industry stakeholders on how it can achieve that aim and the methodology that should be employed.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

One thing is clear, such a step would certainly be a challenge. How would OCR decide on the percentage of any HIPAA settlement or fine that should be paid to the victims of HIPAA violations and data breaches and how would it be possible to share the money fairly between affected patients?

Should every individual affected by a violation/breach receive an equal share of any settlement or should the amount received be determined by the type of PHI that has been exposed or the level of harm caused? In the case of the latter, how would it be possible to quantify harm and ensure appropriate payments are made?

Settlements to resolve HIPAA violations are not only determined by the number of individuals affected and the severity of the violation. OCR also takes the ability of a covered entity to pay a penalty into account. The amount paid to breach victims of virtually carbon-copy HIPAA violations at different covered entities would likely be vastly different.

The more people impacted by a data breach, the less the share would likely be for affected individuals. For example, New York Presbyterian Hospital settled HIPAA violations with OCR for $2,200,000 in 2016 and MAPFRE Life Insurance Company of Puerto Rico settled its case with OCR for the same amount. The NYPH settlement resolved violations that affected a handful of patients, whereas the MAPFRE breach impacted 2,200 individuals. The relative payments if the percentage was fixed would differ considerably.

Potentially, HIPAA financial penalties could significantly increase if a percentage of funds are given to breach victims to ensure patients get a reasonable payment, especially for HIPAA violations and data breaches where considerable harm has been caused – The unauthorized disclosure of the HIV positive status of a patient for example or breaches where patients’ PHI has clearly been obtained by identity thieves and used for malicious purposes.

The methodology used would have to be very carefully considered to ensure funds are shared fairly. Even if the advance notice of proposed rulemaking is issued in November, it is likely to be some time before a fair methodology is decided and any payments are made.

OCR has also proposed other rules that could see HIPAA Rules modified in the near future. OCR has proposed a change to the HIPAA Privacy Rule provision requiring healthcare providers to obtain acknowledgment from patients of receipt of the notice of privacy practices. Currently healthcare providers are required to make a good faith effort to obtain written acknowledgements from patients, or must explain why acknowledgements have not been obtained. That requirement could well be removed.

Feedback will also be sought from the public on modifications to the HIPAA Privacy Rule to incorporate the accounting of protected health information disclosures of the HITECH Act, which has not yet been implemented due to the perceived cost to healthcare organizations.

OCR also proposes a change to the HIPAA Privacy Rule – Presumption of Good Faith of HealthCare Providers – that would “clarify that healthcare providers are presumed to be acting in the individual’s best interests when they share information with an incapacitated patient’s family members unless there is evidence that a provider has acted in bad faith.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist