OCR considers compensating victims of healthcare breaches: 4 things to know

The HHS' Office for Civil Rights is considering a policy initiative to financially compensate victims of healthcare breaches, OCR Director Roger Severino said during a HIPAA summit presentation in Arlington, Va., March 27, BankInfoSecurity reports.

Here are four things to know about the potential change in HIPAA policy.

1. Under the Health Information Technology for Economic and Clinical Health Act of 2009, funds OCR receives through HIPAA breach settlements and civil monetary penalties may be earmarked to supplement the agency's enforcement activities or distributed among the victims of HIPAA breaches and violations.

2. The OCR has never distributed funds to breach victims, according to BankInfoSecurity. However, Mr. Severino said he is interested in assessing a pathway to compensate victims with a percentage of the funds the agency collects.

"A lot of breaches do end up causing significant stress, trauma and anxiety to people," he said. "OCR is interested in hearing from industry advocates and patients about what would be the proper approach for … creating a system though regulation in providing compensation to those hurt by breaches and HIPAA violations."

3. However, there are drawbacks to distributing settlement and penalty funds among breach victims. Susan Lucci, privacy officer and senior consultant at the consultancy Just Associates, told BankInfoSecurity these fines are designed to help OCR fund its own audit and investigative functions.

"The amount of money that might be available for distribution to individuals might be so low in cases of large breaches, that it could be perceived as grossly inadequate, and individuals might even be insulted by a small dollar award," she added.

4. To gauge feedback from the general public and industry experts, the OCR plans to release a request for information on how the agency would distribute funds it receives from HIPAA settlements and civil monetary penalties to breach victims. Mr. Severino did not specify a timeframe for the request for information.

More articles on cybersecurity:
OCR: 3 steps to create a cyberattack contingency plan
Report: 24.4% of web traffic in healthcare comes from 'bad bots'
Researchers in Canada collect PHI from recycling bins to study hospital information security

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months