[ Thursday, February 23, 2017 ]
Jeff [1:46 PM]
HIPAA lawyer Adam Greene was interviewed
at HIMSS, and noted that HHS is close to publishing the regulations implementing the HITECH revisions that allow affected individuals to get a share of the fines levied by OCR. As you should know, there's no private cause of action for a HIPAA violation, so unless a victim of a data breach can prove damages in a regular tort claim lawsuit (which is usually hard to do in a data breach case), there's no financial recovery for them. Only OCR can get money for a HIPAA breach, by fining the breaching entity.
HITECH included a provision, ostensibly to tweak up enforcement actions, that would allow affected individuals to share in the fines levied by OCR.
Will the fact that an individual can get part of a HIPAA fine mean that data breach class actions will be easier to bring? Adam asks, "if [a person] is
considered a harmed individual under HIPAA, should we consider them harmed for
other purposes, too?" Many lawyers have tried bringing class action lawsuits for data breaches, but generally they fail because it's too hard to prove that the victims are actually damaged: someone might use your data, or they might not; if they do, the credit card company might not hold you liable, so you have no damages; and until you can show actual damages, you don't have "standing" to pursue your own legal action, much less a class action on behalf of all of the victims of the same breach. This inability to prove harm prevents the class action from holding.
I don't think Adam's point will come to fruition. Getting to share in the fine doesn't mean you are harmed, necessarily, or at least not in the way of actual monetary damages. Whistleblowers get a piece of the recovery in a Qui Tam case for Medicare fraud, for example, even though they couldn't be plaintiffs directly since they aren't directly harmed by Medicare fraud. I think HIPAA breach victims who get a share of the fine will be more like Qui Tam whistleblowers, and less like "harmed" individuals with standing to bring a class action. But we will see. . . .
. . . . whenever the regulation is actually published. THAT will get a blog post out of me.
Blogger: HIPAA Blog - Edit your Template