The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.
The notice would solicit public opinion on creating a process for sharing a percentage of any penalty or settlement with those harmed by an offense punishable under HIPAA. Section 13410(c)(3) of the Health Information Technology for Economic and Clinical Health Act (HITECH)—which addresses privacy and security concerns associated with electronic transmission of health information by strengthening civil and criminal enforcement of HIPAA rules—requires HHS to establish a methodology to distribute such monetary collections to those harmed.
This ambitious proposal would be a drastic step in HIPAA data protection but may present some hurdles for OCR in its implementation. For example, it could be difficult for OCR to determine how much to compensate those harmed, especially considering that damages in data breaches are difficult to prove. Additionally, this new mechanism can lead to much higher OCR penalties to compensate the victims. Companies should take note that this move by OCR indicates an added emphasis on HIPAA compliance and patient data protection.
The Data Protection Report will continue to monitor any updates on this OCR proposal.