OCR Plans to Share HIPAA Violation Settlements with Breach Victims

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 and includes a provision that calls for the Department of Health and Human Services to share a percentage of HIPAA settlements with victims of HIPAA violations and data breaches.

This month has seen some progress in that area. The Department of Health and Human Services’ Office for Civil Rights has announced it is planning on issuing an advance notice of proposed rulemaking in November about sharing a percentage of the fines it collects through its HIPAA enforcement activities with the victims of data breaches.

OCR officials have previously made it clear that steps will be taken to meet the requirements of this HITECH provision, but little progress has been made. This is not the first time that OCR has announced it plans to issue an advance notice of proposed rulemaking on the matter only for the advance notice of proposed rulemaking to be delayed.

If OCR follows through on its plans this fall, feedback will be sought from the public and industry stakeholders on how it can achieve that aim and the methodology that should be employed.

One thing is clear, such a step would certainly be a challenge. How would OCR decide on the percentage of any HIPAA settlement or fine that should be paid to the victims of HIPAA violations and data breaches and how would it be possible to share the money fairly between affected patients?

Should every individual affected by a violation/breach receive an equal share of any settlement or should the amount received be determined by the type of PHI that has been exposed or the level of harm caused? In the case of the latter, how would it be possible to quantify harm and ensure appropriate payments are made?

Settlements to resolve HIPAA violations are not only determined by the number of individuals affected and the severity of the violation. OCR also takes the ability of a covered entity to pay a penalty into account. The amount paid to breach victims of virtually carbon-copy HIPAA violations at different covered entities would likely be vastly different.

The more people impacted by a data breach, the less the share would likely be for affected individuals. For example, New York Presbyterian Hospital settled HIPAA violations with OCR for $2,200,000 in 2016 and MAPFRE Life Insurance Company of Puerto Rico settled its case with OCR for the same amount. The NYPH settlement resolved violations that affected a handful of patients, whereas the MAPFRE breach impacted 2,200 individuals. The relative payments if the percentage was fixed would differ considerably.

Potentially, HIPAA financial penalties could significantly increase if a percentage of funds are given to breach victims to ensure patients get a reasonable payment, especially for HIPAA violations and data breaches where considerable harm has been caused – The unauthorized disclosure of the HIV positive status of a patient for example or breaches where patients’ PHI has clearly been obtained by identity thieves and used for malicious purposes.

The methodology used would have to be very carefully considered to ensure funds are shared fairly. Even if the advance notice of proposed rulemaking is issued in November, it is likely to be some time before a fair methodology is decided and any payments are made.

OCR has also proposed other rules that could see HIPAA Rules modified in the near future. OCR has proposed a change to the HIPAA Privacy Rule provision requiring healthcare providers to obtain acknowledgment from patients of receipt of the notice of privacy practices. Currently healthcare providers are required to make a good faith effort to obtain written acknowledgements from patients, or must explain why acknowledgements have not been obtained. That requirement could well be removed.

Feedback will also be sought from the public on modifications to the HIPAA Privacy Rule to incorporate the accounting of protected health information disclosures of the HITECH Act, which has not yet been implemented due to the perceived cost to healthcare organizations.

OCR also proposes a change to the HIPAA Privacy Rule – Presumption of Good Faith of HealthCare Providers – that would “clarify that healthcare providers are presumed to be acting in the individual’s best interests when they share information with an incapacitated patient’s family members unless there is evidence that a provider has acted in bad faith.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.