HIPAA Violation Settlements May Be Shared with Breach Victims Following OCR Plans

There was a provision included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009, for the Department of Health and Human Services to share a portion of HIPAA settlements with those affected by HIPAA breaches.

There has been some steps forward in this regard recently. The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it is planning on releasing an advance notice of proposed rule making in November about sharing a portion of the fines it recievess through its HIPAA enforcement operations with those affected by data breaches.

Earlier, OCR officials stated that steps will be taken to meet the requirements of this HITECH provision, but little progress has been achieved. This is not the first time that OCR has released details of plans to send an advance notice of proposed rule making on the topic only for the advance notice of proposed rule making to be cancelled.

Should the OCR go ahead with the plans this fall, feedback will be sought from the public and industry stakeholders on how it can meet that target and the methodology that should be implemented.

One thing is certain, making such a step would certainly be a difficult. How would OCR decide on the portion of any HIPAA settlement or fine that should be transferred to the victims of HIPAA violations and data breaches and how could they share the money fairly between impacted patients?

Should every iperson affected by a violation/breach receive an equal share of any settlement or should the amount received be calculated by the type of PHI that has been shared or the level of harm inflicted? How would it be possible to measure harm and ensure sufficient payments are made?

Settlements to resolve HIPAA violations are not only calculated by the number of individuals impacted and the severity of the breach. OCR also takes the ability of a covered body to pay a penalty into account. The amount paid to breach victims of virtually identical HIPAA violations at different covered bodies would likely be very different.

The more people affected by a data breach, the less the share would likely be for affected people. For instance, New York Presbyterian Hospital settled HIPAA breaches with OCR for $2,200,000 in 2016 and MAPFRE Life Insurance Company of Puerto Rico settled its case with OCR for the same figure. The NYPH settlement resolved breaches that impacted a handful of patients, whereas the MAPFRE breach affected 2,200 individuals. The relative payments if the percentage was fixed would contrast considerably.

Potentially, HIPAA financial fines could significantly rise if a percentage of funds are given to breach victims to ensure patients get a reasonable payment, especially for HIPAA violations and data breaches where significant harm has been caused – The unpermitted disclosure of the HIV positive status of a patient or breaches where patients’ PHI has clearly been downloaded by identity thieves and used for malicious aims.

The methodology employed would have to be very carefully considered to ensure funds are shared fairly. Even if the advance notice of proposed rule making is published in November, it is likely to be some time before a fair methodology is decided and any payments are transferred.

OCR has also proposed other rules that could see HIPAA Rules amended in the near future. OCR has proposed an amendment to the HIPAA Privacy Rule provision requiring healthcare suppliers to obtain acknowledgment from patients of receipt of the notice of privacy practices. Currently healthcare suppliers must make a good faith effort to obtain written acknowledgements from patients, or must explain why acknowledgements have not been sought. That requirement could well be deleted.

Feedback will also have to be obtained from the public on modifications to the HIPAA Privacy Rule to incorporate the accounting of protected health information disclosures of the HITECH Act, which has not yet been adapted due to the perceived cost to healthcare groups.

OCR also proposes an amendment to the HIPAA Privacy Rule – Presumption of Good Faith of HealthCare Providers – that aims to “clarify that healthcare providers are presumed to be acting in the individual’s best interests when they share information with an incapacitated patient’s family members unless there is evidence that a provider has acted in bad faith.”