The Office for Civil Rights (OCR) updated its agenda, outlining proposed and final rules as well as pre-rule document releases for 2018. A notable, and highly anticipated, advance notice of proposed rulemaking included on the agenda indicates OCR will seek comments on establishing a way to distribute funds collected from Health Insurance Portability and Accountability Act (HIPAA) enforcement actions to individuals harmed by the underlying incident. This would fulfill a long-awaited and overdue requirement included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which required OCR to issue regulations about this methodology within three years of HITECH’s 2009 enactment date. The agenda indicates this advanced notice of proposed rulemaking will be released sometime in November 2018.
This announcement is quite promising, but leaves many unanswered questions in its wake, especially as to the impact on covered entity healthcare organizations and business associates. Such an undertaking will present a number of challenges, including how to define “harm” to an individual for purposes of receiving part of any financial settlement. The current regulations do not give much guidance on defining who has suffered a harm and how to financially value that harm. Oftentimes, HIPAA violations involve only medical information, of varying degrees of sensitivity. Very rarely can individuals prove any actual harm from these incidents. Instead, with medical diagnoses and treatment information, any harm is highly personal, speculative and difficult to value using any sort of standard that would be necessary to fairly distribute and compensate victims of data breaches, absent a finding by a jury. Any methodology for disbursement of settlement funds would need to account for the potential harm an individual whose HIV status was released would suffer, and how that relates to the potential harm suffered by an individual struggling with infertility. To have all victims share equally is another option, but that poses its own challenges and questions of fairness.
Additionally, it is hard to believe that this rulemaking and proposed methodology will not have some impact on the size of fines and settlements imposed on covered entities and business associates from OCR enforcement. While arguably not the intention of the law or proposal, it certainly offers a different lens for OCR and the public to see these enforcement actions through.
OCR’s agenda is, of course, silent on how these challenges may be addressed. Should the proposed rulemaking move forward at the end of this year, it will be interesting to see the proposal from OCR, as well as the comments from members of the healthcare community on said proposal. The impact could pit healthcare organizations against the patients and health plan members they serve in yet another arena, and make HIPAA penalties arising from data breaches more attractive to OCR and the general public.