Sharing HIPAA Fines With Victims: Will It Ever Happen?HITECH Act Mandated Sharing the Wealth, But Rulemaking Has Stalled
Will federal regulators finally tackle long overdue rulemaking related to a HITECH Act provision calling for the Department of Health and Human Services to share money collected from HIPAA settlements and penalties with breach victims?
See Also: The Power and Scale of XDR
A recent entry on the Office of Management and Budget's regulations agenda website notes that HHS' Office for Civil Rights' has slated for November an "advance notice of proposed rulemaking" requesting public input for how OCR may share funds collected from HIPAA enforcement actions with affected individuals.
OMB says the notice "would solicit the public's views on establishing a methodology under which an individual who is harmed by an offense punishable under HIPAA may receive a percentage of any civil money penalty or monetary settlement collected with respect to the offense." The entry notes that HHS "is required by ... the HITECH of 2009 to issue rules to establish this methodology."
But don't hold your breath: OCR has announced plans to issue an advanced notice of proposed rulemaking on the issue 12 previous times - every spring and fall since 2012. Will the 13th time be a charm?
"'Optimism' that OCR would establish regulations to implement this HITECH Act mandate would not be a word that I could use," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek. "This 'can' has been 'kicked down the road' for years because it opens the proverbial can of worms. Congress did not define what 'harm' would be eligible for compensation."
This rulemaking work, if it actually begins to move forward, will involve many challenges.
Under the HITECH Act, HHS had until 2012 to devise a method "under which an individual who is harmed by an act that constitutes a [HIPAA privacy or security] offense may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense."
HITECH, however, also contains a provision saying that civil monetary penalties and financial settlements "shall be transferred to be used for purposes of enforcing the provisions." And so far, it appears all money collected has gone to support enforcement.
Since 2008, OCR has issued 51 HIPAA resolution agreements involving financial settlements and thee civil monetary penalties totaling nearly $38 million. Of that, OCR has collected about $33.7 million: One civil monetary penalty for $4.3 million issued to a Maryland-based clinic, Cignet Health, was never paid because the clinic ended up filing for bankruptcy.
What's So Difficult?
Several factors play into the difficulty OCR faces in crafting a regulation that awards a percentage of HIPAA fines and settlements to individuals who are harmed by privacy and security violations.
"How do you measure the value of harm to an individual whose PHI was disclosed? What types of HIPAA violations would qualify for sharing?" Holtzman asks. "With resources already stretched razor thin, how would OCR administer a new program like this? And, if 2018 is any example, the promise to share in recoveries would be empty if OCR chose not to levy fines and penalties for failing to comply with the HIPAA rules."
Privacy attorney Iliana Peters, who recent joined the Washington office of law firm Polsinelli after serving at OCR as an enforcement and compliance official for a decade, notes that there is nothing in the statute that prevents OCR from requiring covered entities or business associates to pay individuals directly - for example, through a trust - and separately from any payments made to HHS OCR. That's similar to what is often done in state court settlements, she notes.
"In other words, given that HHS OCR is not in the business of giving money to individuals - and resources, which are already limited, would have to be dedicated to such an effort - it would seem to make sense to require the entities to undertake such efforts as part of a settlement or payment of a civil money penalty," she says.
"It continues to be very important for HHS OCR to be able to collect settlements and penalties. As appropriated funding to the OCR continues to decrease, OCR will need resources to enforce the HIPAA rules, as provided for by Congress in the HITECH Act."
Privacy attorney Kirk Nahra of the law firm Wiley Rein says he's unsure what would prompt OCR to act now on the HITECH Act provision on making payments to victims.
Plus, he points out that soliciting ideas for how a system of making such payments would work won't necessarily result in creation of "an actual proposed rule."
Peters offers a similar assessment. "This is an advance notice, which means it is likely that HHS OCR still has many questions about how it would move forward with the HITECH Act's requirement and is looking to the public for help in answering the questions, just for purposes of proposing a rule," she says.
If OCR does begin the process of soliciting public comment this fall, no one should expect a final regulation to be enacted anytime soon.
The steps in the rulemaking process could take "at least a couple of years total, given all of the process, review and resources that are required by Administrative Procedure Act rulemaking," Peters says.
But does it even make sense for HHS to share money collected in HIPAA settlements and penalties?
"HIPAA sets a rather low bar for defining breaches, lower than most state laws."
—Kate Borten, The Marblehead Group
"HIPAA sets a rather low bar for defining breaches, lower than most state laws," notes Kate Borten, president of the privacy and security consultancy The Marblehead Group.
"Essentially, a [HIPAA] breach occurs when a covered entity or business associate loses control over protected health information for which it is responsible," she says. "Hence, it's important to note that while PHI is at risk of exposure or misuse, many, if not most, HIPAA breaches never result in any harm to patients."
Several key issues that need to be considered in a potential proposed rule, Nahra notes. "From my perspective, the major concerns here involve how harm will be defined and whether this will push OCR for higher settlements," he says.
"I would encourage a pretty high standard for 'harm' to discourage frivolous claims for compensation. I also think that some bright line is needed so that this doesn't become an enormous burden on HHS to identify 'victims' and allocate money."
Given that OCR now keeps most of what it collects in fines to help fund enforcement, Nahra says, "I'm not sure the requirement to give some to individuals makes them more likely to pursue larger settlements - but who knows?"
When it comes to major breaches affecting large numbers of people, the amount OCR might potentially distribute to each "harmed" individual might be relatively meager, he points out.
It remains unclear how a new rule for distributing funds to victims would intersect with civil litigation claims for damages in the same breach cases, Nahra notes.
"If there is a large breach, and a class action case is being pursued, is there a need for a separate provision?" the attorney asks. "We may see some ongoing confusion between the class action cases and the OCR settlements. But, at least for now, the class action cases have been faster [to process] than OCR, so we certainly may see a situation where the class action case, however it gets resolved, leads OCR not to include a harm payment to individuals."
If OCR does, indeed, decide to kick off rulemaking work in November, that task will be added to the agency's already long to-do list. For example, OCR plans to re-start from scratch on its effort to draft a modified HIPAA accounting of disclosures rule (see: OCR Plans Do-Over For Accounting of Disclosures Proposal).
OCR did not immediately respond to an Information Security Media Group request for comment.