HHS OCR Aims for Breach Victims to get Share of HIPAA Settlements
June 4, 2018
An Important Television Commercial Announcement:
Has your health information been inappropriately released by your healthcare professional or your employer? You may be eligible to share in a portion of the fines these organizations must pay for violations under the Health Insurance Affordability and Accountability Act, or HIPAA. Learn how you can get compensation. Call the law firm of Smith, Smith, and Smith to find out how HIPAA protects you. Call 555.123.4567.
Will Breach Victims Finally Reap Tangible Rewards of HIPAA Settlements?
Have your HIPAA rights been violated? If they have, you should expect a call from a legal professional. This could be the future. It seems only fair that victims of a HIPAA breach should benefit monetarily from a HIPAA breach settlement. The 2009 HITECH Act designated that the Health and Human Services Office for Civil Rights (HHS OCR) determine if the individuals whose PHI is breached will share a percentage of HIPAA data breach settlements. So far that hasn’t happened, but that may change.
The 2018 HHS semiannual regulatory agenda included OCR’s statement that they would solicit the public’s view on how to establish a methodology for how breach victims would receive a percentage of any penalty or settlement resulting from the breach. OCR plans to issue an advance notice of proposed rulemaking along with the proposal in November 2018:
This advance notice of proposed rulemaking would solicit the public’s views on establishing a methodology under which an individual who is harmed by an offense punishable under HIPAA may receive a percentage of any civil money penalty or monetary settlement collected with respect to the offense. The Department is required by section 13410(c)(3) of the Health Information Technology for Economic and Clinical Health (HITECH) Act (title XIII of the American Recovery and Reinvestment Act of 2009) to issue rules to establish this methodology.
Once victims are granted a share of the penalties, the number of breaches reported will skyrocket. In 2017, ten resolution agreements resulted in fines of $19,393,200 levied by HHS OCR – 135,969 individuals were affected.
Does this sound like Déjà Vu?
While the rule holds promise for breach victims, this isn’t the first time that OCR officials have said that steps will be taken to compensate victims. Previous advance notice of proposed rulemaking has been delayed. Why? Deciding to award victims is the easy part – but concluding how to establish terms for awards is the challenge. Questions such as the following are what makes actually implementing the endeavor so tough:
- Who is harmed? In other words, how is “victim” defined?
- What is the definition of “harmed”? Would the amount of compensation be quantified by the number of PHI details exposed?
- Do some details deserve more compensation than others?
- How would OCR determine how much each victim is compensated?
Also, OCR takes the ability of a covered entity to pay a penalty into account. The amount paid to breach victims of the same type of HIPAA violations at different covered entities would likely be greatly different. A powerhouse company would likely be able to pay fines much greater than a startup, for example.
Can OCR make it happen?
Does HHS OCR have the capacity to make these decisions, especially when possibly facing budget cuts in the coming year? The Trump Administration proposes huge cuts to the HHS OCR 2019 budget. President Trump proposes that OCR’s budget would be reduced from $39 million to $31 and they would lose five staff members.
In spite of the budget reductions, there will likely be changes to come. Why? Medical providers and employers are taking patient/employee privacy more seriously than ever before because patients and employees are becoming more aware of their rights. Although the recently implemented GDPR only applies to information residing or created in the EU, these guidelines will likely become the worldwide de facto standards. One way HHS can appear to protect PHI is compensating individuals whose PHI has been compromised. Once the legal professionals identify this as a revenue source, more people will file claims. Covered entities and business associates, take note!