This coming November, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is slated to discuss an “advance notice of proposed rulemaking” that is requesting for public input on how OCR could share HIPAA fines with the victims of security breaches.
This is not the first time OCR has called this action, as this is the 13th time since fall of 2012 that they have called for the advanced notice of proposed rulemaking. Patients are holding their breath hoping that this 13th time really is the charm.
HIPAA, HITECH, and HHS
According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), patients of healthcare providers that violate HIPAA regulation are not allowed to collect damages, as HIPAA does not allow “private cause of action.” In other words, this means that HIPAA regulation does not allow patients to file private lawsuits against health providers. However, recent precedents like the HIPAA lawsuit upheld by the Connecticut Supreme Court, now allow patients to hold providers individually liable for an unauthorized release of protected health information (PHI).
Although this ruling in Connecticut–and similar rulings in New York, Massachusetts, and Michigan–are relatively set in stone, the Health Information Technology for Economic and Clinical Health Act (HITECH) comes into play as well. HITECH has two main provisions that are going to be the focus in OCR’s forthcoming notice of proposed rulemaking.
First, HITECH states that HHS must propose a plan “under which an individual who is harmed by an act that constitutes an offense may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.”
The second provision somewhat counteracts that statement, stating that HIPAA settlements “shall be transferred to be used for purposes of enforcing the provisions.”
As the regulations currently stand, the patients do not have the chance to collect money for civil monetary settlements, as it seems that all the HIPAA fines go straight toward supporting future enforcement.
Why is Making This Ruling So Difficult?
There are a couple issues as to why making this rule would be difficult, however the biggest question is “How do you measure the value of harm to an individual after PHI is released?” OCR will have to set the standard relatively high, or risk patients taking advantage of this rule who are looking to cash in on HIPAA settlements. The potential for patient abuse is high–which could lead to even greater risks of HIPAA enforcement in the future.
Another important question is “What types of HIPAA violations would qualify for sharing of HIPAA fines?” Determining what types of violations deserve payment is something OCR will have to examine so that nothing is overlooked.
Should HIPAA Settlements be Shared?
Is it logical for OCR to share HIPAA settlements with patients affected by a HIPAA violation?
It’s worth considering that when breaches affect a large number of people, the amount of money dispensed to patients may be too small, or may not be worth distributing as it cover damages caused by their PHI being released without consent.
With the potential for HIPAA fines to be shared with victims of data breaches, clients and patients will have more incentive than ever to report HIPAA violations to HHS, putting your business at risk. Being HIPAA compliant can ensure that you are taking the correct steps to avoid this by implementing an effective compliance program to ensure the security, privacy, and confidentiality of your patients’ PHI.