HHS' Office for Civil Rights is planning to issue an advance notice of proposed rulemaking in November to get the public's input on a policy change that would share HIPAA settlements with the victims of their respective data breaches, according to Data Protection Report.
OCR proposed amending a section of the Health Information Technology for Economic and Clinical Health Act that concerns the privacy and security of sending health information electronically by imposing civil and criminal penalties for HIPAA violations. The proposed change would require a percentage of any penalty or settlement, which is paid to resolve a breach that caused harm to others, be split among the victims.
Data Protection Report laid out three things to keep in mind if OCR implements the proposed rule change.
1. Damages in breach cases are often hard to prove, meaning OCR may struggle to decide what portion of the settlements victims are owed.
2. The rule could result in higher breach settlements to compensate victims.
3. The proposed rule change indicates OCR is taking HIPAA compliance and patient data security more seriously, and companies should take note.
More articles on cybersecurity:
SamSam strikes Indiana physician practice's computer network
70% of companies 'disposing' of data ahead of GDPR deadline, survey finds
IBM bans employees from using flash drives, SD cards: 4 things to know