The headline above may cause a bit of puzzlement for longtime HIPAA experts, covered entities (CEs) and others. That’s because they know that, at least currently, the HHS Office for Civil Rights (OCR) actually has no role in providing payments to people who have been harmed by having their privacy violated by medical organizations.
But OCR should be in the business of compensating people—and would be had it completed a task Congress gave it 10 years ago.
HIPAA did not create a private right of action, meaning there was no natural or easy way for individuals to sue for violations of that law. Cases have been brought by individuals, however, beginning in 2010, after an enterprising attorney with a solo practice in Indiana conceived of suing a CE for malpractice and using HIPAA as the standard that had been violated. Neal Eggeson would go on to collect millions on behalf of individual patients, and now devotes his practice solely to medical privacy litigation. (An upcoming issue of RPP will feature a Q&A with Eggeson).
In recent years, cases have also been brought based on violations of state privacy laws. Class action suits have proliferated, but these typically provide a few thousand dollars to patients who are named in a suit and the value of credit monitoring to the rest of the litigation class (“In Sign of Growing State Might, Premera Pays $10M to 30 AGs, $74M to Resolve Class Action,” RPP 19, no. 8). Additionally, a $1 million judgment that a patient won against a California psychiatrist for reporting a patient she believed to be homicidal was recently reaffirmed by the trial judge, but the doctor plans to appeal (“Judge Upholds $1M Award for Psychiatrist's Warning of Possible Shooting; Appeal Begins,” RPP 19, no.8).
In 2016, OCR settled with New York Presbyterian for $2.2 million on behalf of two patients who the agency said had suffered from “egregious disclosures” to the news media. In 2011, without his family’s knowledge or consent, crews taped the dying moments of a man for a television documentary series on emergency rooms. Although his face was blurred, the man’s wife later recognized his voice when she saw the show during a re-run. The family, which received nothing from the OCR settlement because the regulation was not written, had been pursuing compensation and other actions in court. The status of this case is not clear. It was not known who the other patient was that OCR referred to (“‘Egregious Disclosures’ Cost NYP $2.2M, But All CEs to Feel Sting of Recording Ban,” RPP 16, no. 5).
After passage of HIPAA in 1996, the Centers for Medicare & Medicaid Services was tasked with ensuring compliance, duties OCR later assumed. OCR has the authority—and has used it—to collect millions of dollars from organizations for breaches of privacy and security and other related violations under HIPAA (some settlements have called out organizations for late notification, in violation of the breach rule).
In 2009, however, Congress passed the HITECH Act as part of the American Recovery and Reinvestment Act, designed to help alleviate the recession. Among other things, the HITECH Act created an opportunity for patients and others to share in any civil monetary penalties OCR collects for HIPAA violations “with individuals harmed by the actions for which CMPs were imposed.”
OCR is Nine Years Late
Congress gave HHS a deadline of February 2012 to develop a regulation to implement this requirement. But it has still failed to do so.
OCR has acknowledged this task and for many years officials have said they are working on a regulation. More recently, OCR said it first planned to issue an advance notice of proposed rulemaking (ANPRM) “to solicit the public's views on proposals for the distribution of civil money penalty and monetary settlements with those harmed” by a HIPAA “offense.”
An ANPRM precedes a proposed rule and can lengthen the process to a final regulation. In the spring update to regulatory developments governmentwide, HHS estimated that it would publish a proposed rule in July; that has not happened. Interestingly, the update says the ANPRM will also address “annual limits on civil money penalties under the HITECH Act.” In May, OCR Director Roger Severino announced, effective immediately, a significant reduction in the annual penalties to levels and a methodology he said was a more accurate reading of the law (“Easy Win for MD Anderson? OCR Drops Annual Caps, Issues Warning on Right-of-Access Denials,” RPP 19, no. 5).
At the time, Severino said OCR would begin the rulemaking process to codify the change, but he did not mention that it would be combined with the penalty issue.
At least one individual would be eager to give OCR his thoughts on how to quantify harm from privacy violations—Eggeson, the Indiana attorney who has settled dozens of cases using HIPAA as a standard of care to prove harm when it is violated. He also won $1.8 million from Walgreens in 2014 and $1.25 million in 2010 on behalf of an HIV patient.
Eggeson tells RPP he’d be happy to assist OCR in drafting the regulation: “I would welcome that contact.”
Contact Eggeson at nfelaw@gmail.com.