OCR Announces Intention to Move Forward With Development of Methodology to Distribute Enforcement Funds to Victims of HIPAA Violations

Kathryn Carey, Lynn Sessions
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

The Office for Civil Rights (OCR) updated its agenda, outlining proposed and final rules as well as pre-rule document releases for 2018. A notable, and highly anticipated, advance notice of proposed rulemaking included on the agenda indicates OCR will seek comments on establishing a way to distribute funds collected from Health Insurance Portability and Accountability Act (HIPAA) enforcement actions to individuals harmed by the underlying incident. This would fulfill a long-awaited and overdue requirement included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which required OCR to issue regulations about this methodology within three years of HITECH’s 2009 enactment date. The agenda indicates this advanced notice of proposed rulemaking will be released sometime in November 2018.

This announcement is quite promising, but leaves many unanswered questions in its wake, especially as to the impact on covered entity healthcare organizations and business associates. Such an undertaking will present a number of challenges, including how to define “harm” to an individual for purposes of receiving part of any financial settlement. The current regulations do not give much guidance on defining who has suffered a harm and how to financially value that harm. Oftentimes, HIPAA violations involve only medical information, of varying degrees of sensitivity. Very rarely can individuals prove any actual harm from these incidents. Instead, with medical diagnoses and treatment information, any harm is highly personal, speculative and difficult to value using any sort of standard that would be necessary to fairly distribute and compensate victims of data breaches, absent a finding by a jury. Any methodology for disbursement of settlement funds would need to account for the potential harm an individual whose HIV status was released would suffer, and how that relates to the potential harm suffered by an individual struggling with infertility. To have all victims share equally is another option, but that poses its own challenges and questions of fairness.

Additionally, it is hard to believe that this rulemaking and proposed methodology will not have some impact on the size of fines and settlements imposed on covered entities and business associates from OCR enforcement. While arguably not the intention of the law or proposal, it certainly offers a different lens for OCR and the public to see these enforcement actions through.

OCR’s agenda is, of course, silent on how these challenges may be addressed. Should the proposed rulemaking move forward at the end of this year, it will be interesting to see the proposal from OCR, as well as the comments from members of the healthcare community on said proposal. The impact could pit healthcare organizations against the patients and health plan members they serve in yet another arena, and make HIPAA penalties arising from data breaches more attractive to OCR and the general public.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide