On April 6, 2022, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued an RFI seeking public input for a series of questions regarding provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH), specifically, the consideration of recognized security practices of covered entities (CEs) and business associates (BAs) when OCR makes determinations regarding fines, audits, and remedies to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Standard Care issued a response to the question: The Department requests comments on any additional factors or information the Department should consider in developing a proposed methodology to share a percentage of CMPs and monetary settlements with harmed individuals.
HIPAA does not provide a right of action for individuals to recover damages when CEs or BAs (collectively “regulated entities”) fail to properly implement HIPAA Security Rule and HITECH standards that result in an unauthorized disclosure of protected health information (PHI). A model with a logistically practical and equitable methodology for enabling individuals to recover damages for harm incurred due to an unauthorized PHI disclosure is centered on private lawsuits in state courts.
Once states have been litigating these cases for a few years, OCR can evaluate the criteria various states use for assessing negligence and for calculating damages. For instance, under a common law scheme, HIPAA and HITECH data security standards can be interpreted as a duty imposed on regulated entities. Therefore, a regulated entity breaches its duty to an individual plaintiff if the factfinder determines that it failed to adequately implement HIPAA Security Rule standards, thus resulting in an unauthorized disclosure of the plaintiff’s PHI. Under this model, states function as “laboratories of democracy.” Overtime, OCR can assess which state models provide the most efficient and equitable framework in order to form a minimum federal standard for recovering damages. Alternatively, the federal government could continue to entirely delegate these powers to the states under 10th Amendment.
RFI: https://www.regulations.gov/document/HHS-OS-2022-0007-0001
Sign up for occassional updates.
