A pending federal regulation - called for under the HITECH Act - that would allow regulators to share with breach victims money collected in HIPAA violation cases eventually could have implications in class-action breach lawsuits, says privacy attorney Adam Greene.
The Department of Health and Human Services' Office for Civil Rights "is working on a new regulation where they would share a portion of penalties and settlements with 'harmed' individuals - and they're still trying to figure out what a 'harmed' individual is," Greene says. "It will be interesting to see, when that regulation gets proposed and ultimately finalized, if that has an impact on class-action [breach lawsuits]."
In an interview at the HIMSS17 conference in Orlando, Greene questions whether judges will say, for example: "Well, if [a person] is considered a harmed individual under HIPAA, should we consider them harmed for other purposes, too?"
So far, the courts have mostly dismissed class-action lawsuits where plaintiffs impacted by a data breach have not shown clear evidence of harm, such as identity theft, he points out.
During the HIMSS17 conference, Deven McGraw, OCR deputy director of health information privacy, confirmed that the rule regarding sharing proceeds of HIPAA settlements with victims is among the potential rulemaking activities slated by her office in 2017.
Other Issues to Watch
In the interview with Information Security Media Group (see audio link below photo), Greene also discusses:
- The potential implications in class-action lawsuits when an organization has security technology, such as data loss prevention software, implemented but has failed to turn on certain key breach prevention features;
- Other security-related litigation and court rulings to watch in 2017;
- Challenges faced by covered entities and business associates in assessing whether some security incidents, such as ransomware attacks, are reportable breaches.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.