The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is planning to issue an advance notice of proposed rulemaking this November that could be a major game changer for HIPAA breach settlements. According to the Data Protection Report, the OCR plans to get the public’s input on a policy change that would involve HIPAA settlements to be shared with the victims of their respective data breaches.
The proposal would amend Section 13410(c)(3) of the Health Information Technology for Economic and Clinical Health Act (HITECH), which addresses privacy and security concerns of transmitting health information electronically by imposing civil and criminal penalties for HIPAA violations.
The proposed change would create a process requiring a percentage of any penalty or settlement paid for a HIPAA violation causing harm to others to be distributed between the victims of the breach.
The Data Protection Report looks at some of the biggest obstacles the OCR will encounter with the proposed policy change. For starters, the OCR would have to find a way to determine the appropriate compensation for those harmed by a breach, which could be a difficult task in many cases since damages of breaches are often hard to prove. This change could also lead to higher breach settlements to appropriately compensate victims.
Companies should take note that this move by OCR indicates an added emphasis on HIPAA compliance and patient data protection.”