[BreachExchange] OCR To Share HIPAA Data Breach Settlements With Victims
destry at riskbasedsecurity.com
Wed May 16 17:41:17 EDT 2018
OCR is proposing to share a percentage of HIPAA data breach
settlements with victims, as required by the HITECH law.
In the HHS semiannual regulatory agenda, OCR said it is soliciting the
public’s view on establishing a methodology for those harmed by a data
breach or other HIPAA violation to receive a percentage of any penalty
or settlement resulting from the breach.
The office plans to issue an advance notice of proposed rulemaking
with the proposal in November.
While this is an intriguing proposal, its implementation might be a
huge challenge for OCR.
“The devil is in the details. There are potential issues with this
approach,” Marcus Christian, a cybersecurity and data privacy attorney
with the law firm of Mayer Brown, told HealthITSecurity.com.
“You can imagine a number of problems coming out of it. It will be
important to get good feedback on the proposed regulation and a
thoughtful period of analysis and crafting the rule,” he noted.
Christian said it would be difficult for OCR to determine who is
harmed, what the harm is, and how much victims should be compensated.
“I don’t believe that OCR currently has the capacity to do that,” he said.
“There would have to be something built to do that, not just figuring
out how to do it, but who is going to do it, how much transparency
there will be,” Christian continued. “Will there be an appeals
process? It doesn’t take a lot of imagination to see that the process
could get quite involved and costly.”
Christian said that OCR’s decisions on compensation for individuals or
groups could provide an incentive for people to bring lawsuits because
OCR decided that they should be compensated. Individuals could also
file a lawsuit for other reasons, such as feeling like they weren’t
“Whenever there is something new like this put into place, the
unintended consequences can be quite significant,” he added.
Christian said that the proposal, if enacted, also might lead to
higher OCR penalties to provide more funds for victims.
“In some instances, you have many victims. If you did the math and
divided the monetary penalty by the number of people impacted,
assuming that none of it goes toward agency operations, you are not
going to get a large amount per person. An individual who gets $15
after his or her information has been disclosed might not be satisfied
with that amount. There could be some pressure to increase
settlements,” Christian predicted.
“Unquestionably, there will be scrutiny of these awards if there is
any amount of transparency to it. People may say the award is fair or
unfair. You have a large number of people, and they don’t all have the
same information disclosed. Should they be treated equally or not?
There is a lot that remains to be seen,” he continued.
Andrea L. Frey, a healthcare attorney with Hooper, Lundy & Bookman,
also stated that there are potential challenges posed by the proposed
“Very rarely is harm provable with data breaches, and more often than
not the harm ends up being entirely speculative,” Frey told Bloomberg
“Assuming you can prove numerous individuals were harmed, the actual
percentage awarded would likely be very low if it’s divided equally
among the breach victims,” she said.
As an example, last year OCR fined Memorial Healthcare $5.5 millionfor
a beach that affected at least 105,646 individuals. That would work
out to be $52 per victim, assuming that OCR did not keep any of the
The HHS regulatory agenda includes a few other proposed HIPAA-related actions.
One proposed rule “would change the requirement that healthcare
providers make a good faith effort to obtain from individuals a
written acknowledgment of receipt of the provider's notice of privacy
practices, and if not obtained, to document its good faith efforts and
the reason the acknowledgment was not obtained.”
Another proposed rule would solicit the public’s views on modifying
the HIPAA Privacy Rule to implement the accounting of PHI disclosures
provisions of HITECH. The original notice of proposed rulemaking to
implement this HITECH requirement was first issued in 2011 but was
delayed out of concern that it would be expensive for the industry to
“What they do when they start over will be very important on whether
this is a reasonable modification to the rules or something more
problematic,” Kirk Nahra, a privacy attorney with Wiley Rein in
Washington, told Bloomberg Law.
Yet another proposed rule “would modify the HIPAA Privacy Rule to
clarify that healthcare providers are presumed to be acting in the
individual's best interests when they share information with an
incapacitated patient's family members unless there is evidence that a
provider has acted in bad faith.”
Judging by the HHS regulatory agenda, there is certainly enough HIPAA
work to keep OCR busy in the coming months.
More information about the BreachExchange