- OCR is proposing to share a percentage of HIPAA data breach settlements with victims, as required by the HITECH law.
In the HHS semiannual regulatory agenda, OCR said it is soliciting the public’s view on establishing a methodology for those harmed by a data breach or other HIPAA violation to receive a percentage of any penalty or settlement resulting from the breach.
The office plans to issue an advance notice of proposed rulemaking with the proposal in November.
While this is an intriguing proposal, its implementation might be a huge challenge for OCR.
“The devil is in the details. There are potential issues with this approach,” Marcus Christian, a cybersecurity and data privacy attorney with the law firm of Mayer Brown, told HealthITSecurity.com.
“You can imagine a number of problems coming out of it. It will be important to get good feedback on the proposed regulation and a thoughtful period of analysis and crafting the rule,” he noted.
Christian said it would be difficult for OCR to determine who is harmed, what the harm is, and how much victims should be compensated.
“I don’t believe that OCR currently has the capacity to do that,” he said.
“There would have to be something built to do that, not just figuring out how to do it, but who is going to do it, how much transparency there will be,” Christian continued. “Will there be an appeals process? It doesn’t take a lot of imagination to see that the process could get quite involved and costly.”
Christian said that OCR’s decisions on compensation for individuals or groups could provide an incentive for people to bring lawsuits because OCR decided that they should be compensated. Individuals could also file a lawsuit for other reasons, such as feeling like they weren’t compensated enough.
“Whenever there is something new like this put into place, the unintended consequences can be quite significant,” he added.
Christian said that the proposal, if enacted, also might lead to higher OCR penalties to provide more funds for victims.
“In some instances, you have many victims. If you did the math and divided the monetary penalty by the number of people impacted, assuming that none of it goes toward agency operations, you are not going to get a large amount per person. An individual who gets $15 after his or her information has been disclosed might not be satisfied with that amount. There could be some pressure to increase settlements,” Christian predicted.
“Unquestionably, there will be scrutiny of these awards if there is any amount of transparency to it. People may say the award is fair or unfair. You have a large number of people, and they don’t all have the same information disclosed. Should they be treated equally or not? There is a lot that remains to be seen,” he continued.
Andrea L. Frey, a healthcare attorney with Hooper, Lundy & Bookman, also stated that there are potential challenges posed by the proposed rule.
“Very rarely is harm provable with data breaches, and more often than not the harm ends up being entirely speculative,” Frey told Bloomberg Law.
“Assuming you can prove numerous individuals were harmed, the actual percentage awarded would likely be very low if it’s divided equally among the breach victims,” she said.
As an example, last year OCR fined Memorial Healthcare $5.5 million for a beach that affected at least 105,646 individuals. That would work out to be $52 per victim, assuming that OCR did not keep any of the money itself.
The HHS regulatory agenda includes a few other proposed HIPAA-related actions.
One proposed rule “would change the requirement that healthcare providers make a good faith effort to obtain from individuals a written acknowledgment of receipt of the provider's notice of privacy practices, and if not obtained, to document its good faith efforts and the reason the acknowledgment was not obtained.”
Another proposed rule would solicit the public’s views on modifying the HIPAA Privacy Rule to implement the accounting of PHI disclosures provisions of HITECH. The original notice of proposed rulemaking to implement this HITECH requirement was first issued in 2011 but was delayed out of concern that it would be expensive for the industry to implement.
“What they do when they start over will be very important on whether this is a reasonable modification to the rules or something more problematic,” Kirk Nahra, a privacy attorney with Wiley Rein in Washington, told Bloomberg Law.
Yet another proposed rule “would modify the HIPAA Privacy Rule to clarify that healthcare providers are presumed to be acting in the individual's best interests when they share information with an incapacitated patient's family members unless there is evidence that a provider has acted in bad faith.”
Judging by the HHS regulatory agenda, there is certainly enough HIPAA work to keep OCR busy in the coming months.