[BreachExchange] OCR Announces Intention to Move Forward With Development of Methodology to Distribute Enforcement Funds to Victims of HIPAA Violations

[Inga Goddijn]

https://www.dataprivacymonitor.com/hipaahitech/ocr-announces-intention-to-move-forward-with-development-of-methodology-to-distribute-enforcement-funds-to-victims-of-hipaa-violations/

The Office for Civil Rights (OCR) updated its agenda, outlining proposed
and final rules as well as pre-rule document releases for 2018. A notable,
and highly anticipated, advance notice of proposed rulemaking included on
the agenda indicates OCR will seek comments on establishing a way to
distribute funds collected from Health Insurance Portability and
Accountability Act (HIPAA) enforcement actions to individuals harmed by the
underlying incident. This would fulfill a long-awaited and overdue
requirement included in the Health Information Technology for Economic and
Clinical Health (HITECH) Act, which required OCR to issue regulations about
this methodology within three years of HITECH’s 2009 enactment date. The
agenda indicates this advanced notice of proposed rulemaking will be
released sometime in November 2018.

This announcement is quite promising, but leaves many unanswered questions
in its wake, especially as to the impact on covered entity healthcare
organizations and business associates. Such an undertaking will present a
number of challenges, including how to define “harm” to an individual for
purposes of receiving part of any financial settlement. The current
regulations do not give much guidance on defining who has suffered a harm
and how to financially value that harm. Oftentimes, HIPAA violations
involve only medical information, of varying degrees of sensitivity. Very
rarely can individuals prove any actual harm from these incidents. Instead,
with medical diagnoses and treatment information, any harm is highly
personal, speculative and difficult to value using any sort of standard
that would be necessary to fairly distribute and compensate victims of data
breaches, absent a finding by a jury. Any methodology for disbursement of
settlement funds would need to account for the potential harm an individual
whose HIV status was released would suffer, and how that relates to the
potential harm suffered by an individual struggling with infertility. To
have all victims share equally is another option, but that poses its own
challenges and questions of fairness.

Additionally, it is hard to believe that this rulemaking and proposed
methodology will not have some impact on the size of fines and settlements
imposed on covered entities and business associates from OCR enforcement.
While arguably not the intention of the law or proposal, it certainly
offers a different lens for OCR and the public to see these enforcement
actions through.

OCR’s agenda is, of course, silent on how these challenges may be
addressed. Should the proposed rulemaking move forward at the end of this
year, it will be interesting to see the proposal from OCR, as well as the
comments from members of the healthcare community on said proposal. The
impact could pit healthcare organizations against the patients and health
plan members they serve in yet another arena, and make HIPAA penalties
arising from data breaches more attractive to OCR and the general public.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180618/ed02f95c/attachment.html>