HIPAA Violation Settlements May Be Shared with Breach Victims Following OCR Plans

by | May 29, 2018

There was a provision included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009, for the Department of Health and Human Services to share a portion of HIPAA settlements with those affected by HIPAA breaches.

There has been some steps forward in this regard recently. The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it is planning on releasing an advance notice of proposed rule making in November about sharing a portion of the fines it recievess through its HIPAA enforcement operations with those affected by data breaches.

Earlier, OCR officials stated that steps will be taken to meet the requirements of this HITECH provision, but little progress has been achieved. This is not the first time that OCR has released details of plans to send an advance notice of proposed rule making on the topic only for the advance notice of proposed rule making to be cancelled.

Should the OCR go ahead with the plans this fall, feedback will be sought from the public and industry stakeholders on how it can meet that target and the methodology that should be implemented.

One thing is certain, making such a step would certainly be a difficult. How would OCR decide on the portion of any HIPAA settlement or fine that should be transferred to the victims of HIPAA violations and data breaches and how could they share the money fairly between impacted patients?

Should every iperson affected by a violation/breach receive an equal share of any settlement or should the amount received be calculated by the type of PHI that has been shared or the level of harm inflicted? How would it be possible to measure harm and ensure sufficient payments are made?

Settlements to resolve HIPAA violations are not only calculated by the number of individuals impacted and the severity of the breach. OCR also takes the ability of a covered body to pay a penalty into account. The amount paid to breach victims of virtually identical HIPAA violations at different covered bodies would likely be very different.

The more people affected by a data breach, the less the share would likely be for affected people. For instance, New York Presbyterian Hospital settled HIPAA breaches with OCR for $2,200,000 in 2016 and MAPFRE Life Insurance Company of Puerto Rico settled its case with OCR for the same figure. The NYPH settlement resolved breaches that impacted a handful of patients, whereas the MAPFRE breach affected 2,200 individuals. The relative payments if the percentage was fixed would contrast considerably.

Potentially, HIPAA financial fines could significantly rise if a percentage of funds are given to breach victims to ensure patients get a reasonable payment, especially for HIPAA violations and data breaches where significant harm has been caused – The unpermitted disclosure of the HIV positive status of a patient or breaches where patients’ PHI has clearly been downloaded by identity thieves and used for malicious aims.

The methodology employed would have to be very carefully considered to ensure funds are shared fairly. Even if the advance notice of proposed rule making is published in November, it is likely to be some time before a fair methodology is decided and any payments are transferred.

OCR has also proposed other rules that could see HIPAA Rules amended in the near future. OCR has proposed an amendment to the HIPAA Privacy Rule provision requiring healthcare suppliers to obtain acknowledgment from patients of receipt of the notice of privacy practices. Currently healthcare suppliers must make a good faith effort to obtain written acknowledgements from patients, or must explain why acknowledgements have not been sought. That requirement could well be deleted.

Feedback will also have to be obtained from the public on modifications to the HIPAA Privacy Rule to incorporate the accounting of protected health information disclosures of the HITECH Act, which has not yet been adapted due to the perceived cost to healthcare groups.

OCR also proposes an amendment to the HIPAA Privacy Rule – Presumption of Good Faith of HealthCare Providers – that aims to “clarify that healthcare providers are presumed to be acting in the individual’s best interests when they share information with an incapacitated patient’s family members unless there is evidence that a provider has acted in bad faith.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy