The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is planning to issue an advance notice of proposed rulemaking this November that could be a major game changer for HIPAA breach settlements.
According to the Data Protection Report, the OCR plans to get public input on a policy change that would require HIPAA settlements to be shared directly with the victims of their respective data breaches.
The proposal would amend Section 13410(c)(3) of the HIPAA Hi-Tech Act (HITECH), which addresses privacy and security concerns of transmitting health information electronically by imposing civil and criminal penalties for HIPAA violations by creating a process requiring a percentage of any penalty or settlement paid for a HIPAA violation causing harm to others to be distributed between the victims of the breach.
At this time the OCR hasn't determined how they could generate the appropriate compensation for those harmed by a breach. Currently determining actual damages is a very difficult task in most cases because damages from an information breach is very hard to prove.
The proposed change could also lead to higher breach settlements to appropriately compensate victims