Following comments made in March by Roger Severino, director of the Office for Civil Rights (OCR), the Department of Health and Human Services (HHS) recently published two Notices of Proposed Rulemaking (NPRMs), seeking comments on revising the disclosure rule covering protected health information (PHI) and on sharing HIPAA Privacy Rule violation fines with victims of breaches.

HIPAA-breach-notifications-are-dueThe current disclosure rule, established in 2011 as part of the then-recently enacted Health Information Technology for Economic and Clinical Health (“HITECH”) Act, is being withdrawn.

OCR’s Severino in his remarks in March offered the example of parents who had no idea their adult children were on opioids — until it was too late and they had overdosed. Therefore, he wants to add a “good faith” component to medical disclosures so that health care professionals can use their own better judgment when something needs to be disclosed to immediate family.

On the other point — sharing monies from breach penalties with victims — he told his audience:

OCR is interested in hearing from industry advocates and patients about what would be the proper approach for … creating a system though regulation in providing compensation to those hurt by breaches and HIPAA violations. A lot of breaches do end up causing significant stress, trauma and anxiety to people.

The HITECH Act actually requires that the fines be shared, but all $40 million collected so far has gone back into enforcement. The NPRM states that the goal is “establishing a methodology under which an individual who is harmed by an offense punishable under HIPAA may receive a percentage of any civil money penalty or monetary settlement collected with respect to the offense.”

HIPAA refers to the Health Insurance Portability and Accountability Act.