Will Breach Victims Finally Get a Share of HIPAA Violation Settlements?


There is a provision in the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act that HIPAA violations and data breaches victims are to be given a share of the HIPAA settlements received by the Department of Health and Human Services’ Office for Civil Rights. In May, OCR stated its intention to issue an advance notification of planned rulemaking in November 2018. It would good if this plan will progress and victims of data breaches finally get a share of the fines OCR collects. The planned rulemaking has been postponed for such a long time.

If OCR goes on with this plan, the general public and industry stakeholders are expected to give feedback regarding how this plan can be achieved. It is going to be a great challenge for OCR to resolve a lot of concerns such as the following:

  • What percentage of the collected settlement will be given to the victims of HIPAA violations?
  • How should the money be divided among the patients?
  • Will every victim of the breach receive the same share of the collected money or is the amount dependent on the harm brought on?
  • How should the degree of harm be measured?

HIPAA violation settlements are based on how many individuals are affected as well as the seriousness of violation. The capability of the covered entity to give payment is also factored in. As an example, New York Presbyterian Hospital paid to OCR $2,200,000 in 2016 for an incident that only affected a few patients. MAPFRE Life Insurance Company of Puerto Rico paid $2,200,000 also for an incident that affected 2,200 persons. In case there’s a set proportion of the fine, the money given to the victims is going to be substantially different.

There is a probability that financial penalties will increase when victims get a share of the fines particularly if significant harm was brought on the victims. An example of this situation is the unauthorized exposure of the patients’ HIV positive status or the access of PHI by identity thieves.

The technique for the distribution of funds should be diligently considered. There is still time to think it over before the planned rulemaking happens in November. OCR might also see the possibility of changing certain HIPAA Rules later on. For instance, the HIPAA Privacy Rule which requires healthcare organizations to obtain acknowledgment that the patients acquired a notification of privacy practices may be withdrawn. OCR also suggests to modify the Presumption of Good Faith of HealthCare Providers, that refers to the supposition that healthcare organizations are operating in the individual’s welfare when disclosing information to family members of a disabled patient.