HIPAA Violation Settlements Might Be Shared with Breach Sufferers After OCR Plans

May 31, 2018


There was a condition incorporated in the Health Information Technology for Economic and Clinical Health (HITECH) Law, approved in 2009, for the Division of Health and Human Facilities to share a part of HIPAA settlements with those impacted by HIPAA breaches.

There have been a few steps forward in this respect lately. The Division of Health and Human Services’ Office for Civil Rights (OCR) has declared it is planning on issuing an advance notification of planned rulemaking in November concerning sharing a part of the penalties it receives through its HIPAA implementation actions with those impacted by data breaches.

Previously, OCR officers said that measures will be taken to meet the conditions of this HITECH requirement, however little progress has been accomplished. This is not the first time that OCR has announced details of strategies to send an advance notification of proposed rulemaking on the subject only for the advance notice of proposed rulemaking to be canceled.

Should the OCR go ahead with the strategies this fall, opinion will be sought from the public and industry stakeholders on how it can meet that target and the procedure that should be applied?

One thing is sure, making such a step would definitely be difficult. How would OCR decide on the part of any HIPAA settlement or penalty that must be transferred to the sufferers of HIPAA violations and data breaches and how might they share the money justly between affected patients?

Should every person impacted by a violation/breach get an equal share of any payment or should the amount received be computed by the kind of PHI that has been shared or the level of damage inflicted? How would it be possible to evaluate damage and make sure sufficient payments are made?

Settlements to settle HIPAA violations are not only computed by the number of people affected and the harshness of the breach. OCR also takes the ability of a protected body to pay a penalty into account. The sum paid to breach sufferers of nearly identical HIPAA violations at different protected organizations would likely be very different.

OCR has also suggested other laws that might see HIPAA Laws altered in the near future. OCR has suggested an amendment to the HIPAA Secrecy Law provision needing healthcare providers to get acknowledgment from patients of receipt of the notification of secrecy practices. Presently healthcare providers should make a good faith effort to get written acceptances from patients or should describe why acknowledgments have not been wanted. That requirement might well be erased.

Feedback will also have to be gotten from the public on changes to the HIPAA Secrecy Law to include the accounting of PHI revelations of the HITECH Act, which has not yet been adopted because of the supposed cost to healthcare groups.

OCR also suggests an amendment to the HIPAA Secrecy Law – Presumption of Good Faith of HealthCare Suppliers – that aims to “elucidate that healthcare suppliers are supposed to be acting in the individual’s best interests when they share information with an injured patient’s family members unless there is proof that a supplier has acted in bad faith.”