DHHS has announced that it will issue the advance notice for receiving comments on proposed rules for sharing a percentage of HIPAA civil money penalties, fines, and settlements for violations and data breaches with victims. The 2009 HITECH Act contained a provision calling for DHHS to share with such victims a percentage of such monies recovered, and DHHS is finally getting around to proposing how it will do so.
The November proposed rule (if indeed the proposal is not delayed, which is not unlikely) will provide for covered entities and business associates and the public to comment on the rule. See https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201804&RIN=0945-AA04.
This proposed rule raises many issues, including, for example, the following:
- What will the percentage be? Will it vary based on the amount collected, such as, for example, 20% for amounts up to $100,000, 14% for amounts up to $1 million, and 5% for an amount over $1 million?
- Will the percentage reflect the degree of harm for affected individuals in each breach or be the same amount for all affected individuals, such as, for example, one-tenth if the group awarded consists of ten members?
- Will there be any awards for “whistleblowers”―that is, those who file a complaint with OCR but who do not suffer any harm or any significant harm? California’s civil lawsuit in such cases, for example, allows for $2,000 or actual damages, whichever is larger.
- Will claimants have a say in whether to accept a settlement in lieu of a civil money penalty?
- What evidence will claimants have to produce? What is the standard to establish harm suffered, such as, for example, clear and convincing, preponderance of the evidence, some other standard?
- Who will decide whether one is a proper claimant and the extent of damages?
- How will claimants learn of a violation or breach that may qualify them for an award?
- How much time will claimants have to file a claim?
- Is the decision final or will an appeal be provided for? If so, to whom?
- What will the statute of limitations be for filing such an administrative claim? Will it be tolled under certain circumstances? If so, what circumstances?
- Will the percentage awarded be final, barring any other action against the covered entity or business associate, or may the claimant still file a lawsuit in federal or state court or both?
- Will attorney’s fees be allowed, and, if so, will the percentage be capped like the 20 percent cap of the Federal Tort Claims Act?
- Will serious damage to a large number of claimants cause the civil money penalty or settlement in lieu thereof to increase substantially?
- Will claimants on behalf of a deceased patient have to open an estate or prove next-of-kin or other legal status to file a claim?
- Will claimants on behalf of an incapacitated patient need to get court approval?
- Will a birth certificate showing parentage be sufficient for a claimant on behalf of a minor?
- Will there be different rules for different states that have different categories of custodial parents, such as simply custodial parents or those with legal custody?
- Others?
Alice here: Can you imagine what this rule will do to the number of HIPAA complaints filed and to the size and shape of the target pool for such complaints? Are you ready for DHHS to come audit you and your practice or business associate company as the result of a complaint against you? Are you HIPAA compliant? (1) Do you have a written up-to-date risk analysis? (2) Have you drafted and implemented all of the written policies and procedures that your risk analysis identified that you must have in place? (3) Have you trained, and documented such training in writing, all of your workforce members, which includes employees, interns, shadow students, students, and volunteers, on HIPAA and all of your policies and procedures that would apply to each one of them? These three items are just the beginning of an audit. But if you have not done and documented in writing all three of these items, you are not compliant. We want to help you with CYA―that is, cover your assets. We do not want you to get that free trip to Leavenworth or that very expensive trip to the bank. If you have no idea where or how to begin to get compliant or to maintain what you believe to be your compliant status, check out the HIPAA compliance books, CDs, and videos written and developed by Jon Tomes and available on our website, at http://www.veteranspress.com/products/hipaa-hitech-compliance-tools. If you want hands-on help with any of it, such as the risk analysis, policies and procedures, or training, contact us at jon@veteranspress.com or alice@veteranspress.com. We invite you to consider weighing the cost of investing in compliance tools and consulting help against the possible seven-figure civil money penalties for noncompliance.
Also, please watch for the draft rule regarding part of HIPAA civil money penalties going to HIPAA complainants/whistleblowers/victims. When DHHS announces that it is accepting comments on the draft rule, please send in to DHHS your comments, questions, and concerns. Better to air your concerns beforehand than to be left sitting there afterward in front of your keyboard with nothing to do but whine about it on Facebook.