Technology Blog »

Changes in HIPAA Rules Could Award Damages to Victims for Breaches

OCR could raise HIPAA penalties and award damages to victims of data breaches

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is planning to issue an advance notice of proposed rulemaking this November that could be a major game changer for HIPAA breach settlements.   

According to the Data Protection Report, the OCR plans to get public input on a policy change that would require HIPAA settlements to be shared directly with the victims of their respective data breaches.

The proposal would amend Section 13410(c)(3) of the HIPAA Hi-Tech Act (HITECH), which addresses privacy and security concerns of transmitting health information electronically by imposing civil and criminal penalties for HIPAA violations by creating a process requiring a percentage of any penalty or settlement paid for a HIPAA violation causing harm to others to be distributed between the victims of the breach.

The Data Protection Report looks at some of the biggest obstacles the OCR will encounter with the proposed policy change

At this time the OCR hasn't determined how they could generate the appropriate compensation for those harmed by a breach.  Currently determining actual damages is a very difficult task in most cases because damages from an information breach is very hard to prove.

The proposed change could also lead to higher breach settlements to appropriately compensate victims