OCR considers compensating victims of healthcare breaches: 4 things to know

Jessica Kim Cohen - Print  | 

The HHS' Office for Civil Rights is considering a policy initiative to financially compensate victims of healthcare breaches, OCR Director Roger Severino said during a HIPAA summit presentation in Arlington, Va., March 27, BankInfoSecurity reports.

Here are four things to know about the potential change in HIPAA policy.

1. Under the Health Information Technology for Economic and Clinical Health Act of 2009, funds OCR receives through HIPAA breach settlements and civil monetary penalties may be earmarked to supplement the agency's enforcement activities or distributed among the victims of HIPAA breaches and violations.

2. The OCR has never distributed funds to breach victims, according to BankInfoSecurity. However, Mr. Severino said he is interested in assessing a pathway to compensate victims with a percentage of the funds the agency collects.

"A lot of breaches do end up causing significant stress, trauma and anxiety to people," he said. "OCR is interested in hearing from industry advocates and patients about what would be the proper approach for … creating a system though regulation in providing compensation to those hurt by breaches and HIPAA violations."

3. However, there are drawbacks to distributing settlement and penalty funds among breach victims. Susan Lucci, privacy officer and senior consultant at the consultancy Just Associates, told BankInfoSecurity these fines are designed to help OCR fund its own audit and investigative functions.

"The amount of money that might be available for distribution to individuals might be so low in cases of large breaches, that it could be perceived as grossly inadequate, and individuals might even be insulted by a small dollar award," she added.

4. To gauge feedback from the general public and industry experts, the OCR plans to release a request for information on how the agency would distribute funds it receives from HIPAA settlements and civil monetary penalties to breach victims. Mr. Severino did not specify a timeframe for the request for information.

More articles on cybersecurity:
OCR: 3 steps to create a cyberattack contingency plan
Report: 24.4% of web traffic in healthcare comes from 'bad bots'
Researchers in Canada collect PHI from recycling bins to study hospital information security

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

To receive the latest hospital and health system business and legal news and analysis from Becker's Hospital Review, sign-up for the free Becker's Hospital Review E-weekly by clicking here.