In the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, there’s a provision that victims of HIPAA violations and data breaches are to receive a percentage of the HIPAA settlements paid to the Department of Health and Human Services’ Office for Civil Rights. This month, OCR announced its plan to issue an advance notice of proposed rulemaking in November. Hopefully, there will be some progress on the plan to share a percentage of the fines OCR collects to victims of data breaches. The proposed rulemaking has been delayed for so long.
If OCR proceeds with its plan, the public and industry stakeholders will be asked for feedback on how to achieve this provision in the HITECH Act. It will be a big challenge for OCR to answer so many questions including the following:
- How big a percentage of the fine will go to the victims of HIPAA violations?
- How will the money be shared among the affected patients?
- Will every individual victim of the breach get an equal share of the money or will the amount depend on the level of PHI exposed or the harm caused?
- How will the level of harm be quantified?
OCR issues HIPAA violation settlements based on the number of affected individuals and the severity of violation. The ability of the covered entity to pay is also considered. For example, New York Presbyterian Hospital paid a settlement of HIPAA violations to OCR in the amount of $2,200,000 in 2016, where in only a few patients were affected. MAPFRE Life Insurance Company of Puerto Rico also paid the same amount but affected 2,200 persons. If there is a set percentage of the fine, the payments to the victims would be considerably different.
There is a potential that financial penalties would increase if some of the fines are shared with the breach victims especially if considerable harm was caused on the victims just like in the case of unauthorized disclosure of the HIV positive status of patients or the access of patients’ PHI by identity thieves.
The methodology for the sharing of funds fairly must be carefully considered. There’s still time to think about it before the proposed rulemaking in November. OCR could also see the probability of modifying some HIPAA Rules in the future. For example, the HIPAA Privacy Rule that requires healthcare providers to get acknowledgment that the patients received a notice of privacy practices could well be removed. OCR also proposes to change the Presumption of Good Faith of HealthCare Providers, which is about the presumption that healthcare providers are acting in the individual’s best interest when sharing information to the family of an incapacitated patient.