Upcoming Health Privacy Proposal Could Be Tough to Implement

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

An upcoming proposal to share the proceeds of health-care data breach settlements with affected individuals could prove challenging for the government to implement.

The proposal would involve sharing a percentage of penalties paid by organizations responsible for data breaches with patients who had their records compromised.

Determining who is directly harmed by a data breach and how much they should be paid is a complex question and will pose an administrative challenge for the government, Andrea L. Frey, a health-care attorney with Hooper, Lundy & Bookman PC in San Francisco, told Bloomberg Law.

The proposed rule from the Health and Human Services Office for Civil Rights was included in the HHS semiannual regulatory agenda published May 9, and an advance notice of proposed rulemaking is slated for release in November. The proposal will ask for public comment on creating a way to calculate the payments.

“Very rarely is harm provable with data breaches, and more often than not the harm ends up being entirely speculative,” Frey said. Breaches can affect thousands of patients records, which also complicates the effort to calculate a payment, Frey said.

The proposal could also create an environment where physician practices have frivolous complaints lodged against them by individuals simply in the hopes of receiving a financial reward, Robert Tennant, director of health information technology policy at the Englewood, Colo.-based Medical Group Management Association, told Bloomberg Law.

The settlement-sharing provision is a requirement of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The OCR tends to be very selective about the data breach cases it takes on, and any resulting litigation can be very long and drawn-out, Frey said.

“Assuming you can prove numerous individuals were harmed, the actual percentage awarded would likely be very low if it’s divided equally among the breach victims,” Frey said.

The advance notice of proposed rulemaking will likely ask a series of questions on how the OCR should implement the HITECH act requirement, especially since quantifying the harm of privacy or security violation to an individual is extremely difficult, Iliana Peters, a health-care attorney with Polsinelli PC in Washington, told Bloomberg Law.

The OCR didn’t respond to a request for comment on the upcoming proposed rule.

HIPAA Disclosures

The regulatory agenda also signaled that the HHS will replace a controversial proposed rulemaking from 2011 regarding the accounting of disclosures under the Health Insurance Portability and Accountability Act, W. Reece Hirsch, a health-care attorney with Morgan, Lewis & Bockius LLP in San Francisco, told Bloomberg Law.

The HITECH Act gives patients a right to request a report that accounts for the disclosure of their PHI used for treatment and payments, Reece said.

An advance notice of proposed rulemaking will be released in November and will ask for public comment on how to implement the HITECH Act’s requirement for the accounting of disclosures.

“Crafting a regulation that implements that standard in a way that is practical has proven challenging,” Hirsch said.

The 2011 proposed rulemaking would have been an expensive burden on the entire health-care industry and would have provided very little benefit, Kirk Nahra, a privacy attorney with Wiley Rein in Washington, told Bloomberg Law. The 2011 proposal would have granted individuals the right to an accounting of disclosures of their PHI, as well as a right to receive a report on who had access to their PHI.

“What they do when they start over will be very important on whether this is a reasonable modification to the rules or something more problematic,” Nahra, a Bloomberg Law advisory board member, said.

The OCR shouldn’t impose burdensome new regulatory requirements on physician practices when it revisits the accounting of disclosures rulemaking, Tennant said. The MGMA applauded the OCR’s decision not to move forward with the earlier unworkable rulemaking, Tennant said.

Additional HIPAA Proposals

The regulatory agenda included several other proposals focused on HIPAA, including one giving physicians the benefit of doubt for sharing medical information with the families of incapacitated patients and another that would change the requirement that physicians make a good faith effort to get a written acknowledgment of their privacy procedures from patients.

The OCR has said that a good faith presumption for a physician sharing data on an incapacitated patient is implied by the HIPAA Privacy Rule, but the proposal would make it clearer for health-care providers and ensure that they feel comfortable making similar disclosures to family members, Peters said.

Changing the requirement for obtaining a written acknowledgment of privacy practice would ease the burden for physicians, Peters said.

Health-care providers and consumers have both been confused over what an acknowledgment means, particularly as to whether or not it means the individual is consenting to something other than simply receiving a Notice of Privacy Practices, Peters said.

Potentially Significant

The move toward sharing data breach civil monetary penalties could open the floodgates to whistleblower lawsuits, Hirsch said.

“This regulation could potentially create a form of financial incentive for HIPAA whistleblowers and complainants, which could lead to expanded HIPAA enforcement,” Hirsch, a Bloomberg Law advisory board member, said.

The idea of sharing data breach penalties with harmed individuals isn’t entirely new, Frey said. There are nominal damages of $1,000 in California for victims of a violation of the Confidentiality of Medical Information Act, regardless of whether they’ve been harmed, Frey said.

The CMIA is a California law designed to protect patient medical information from illegal disclosure.

“Given that this adds up quickly in cases where there are numerous victims, California courts have been actively looking for ways to curtail damages, so the same might potentially be true here if this rule were to ever take effect,” Frey said.

The proposed penalty sharing rule could also radically change HIPAA litigation if it were to allow for a private right to action, Frey said. Private individuals currently can’t sue for a HIPAA violation, Frey said.

To contact the reporter on this story: James Swann in Washington at jswann1@bloomberglaw.com

To contact the editor responsible for this story: Brian Broderick at bbroderick@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Health Care on Bloomberg Law