OCR to Issue Draft Rule on Monetary Compensation to Breach Victims; Guidance on Texting and Social Media

Article by Mary Butler. This article was originally published on the Journal of AHIMA website on March 2, 2017 and is republished here with permission.

Federal health privacy officials say that a draft law on financial compensation for individuals whose privacy has been breached will be coming down the pike by the end of the year. Additionally, officials expect to release guidance on texting protected health information (PHI), as well as social media use by covered entities, said Deven McGraw, JD, MPH, deputy director for health information privacy at HHS’s Office for Civil Rights (OCR), at the Healthcare Information and Management Systems Society (HIMSS) annual meeting.

Health information management (HIM) professionals, health IT stakeholders, and even lawmakers have been calling on regulators to either update HIPAA or issue separate laws to help enforce privacy violations in the social media age.

“What qualifies as harm when there has been a violation of privacy and security rules?” McGraw said at HIMSS, as reported by Medpage Today. “How do we determine a violation has occurred when the case is settled and there is no finding of fault? … We’ll be issuing that [proposed rule] hopefully in 2017.”

McGraw said this move is in response to a provision of the HITECH Act that requires the Department of Health and Human Services (HHS) to create a way to compensate people whose privacy has been breached, rather than just penalizing the covered entity.

Additional guidance on that front, which McGraw calls “The Anatomy of a Case,” will be a document that “walks through a typical case we do in HIPAA and how we calculate penalties, and the basic criteria we use to come to settlement amounts.”

She said that OCR gets many questions from covered entities about text messaging.

“There are a lot of questions whether covered entities can text with patients and whether employees within covered entities can text one another, or text covered entity to covered entity, covered entity to business associate, or covered entity to public health department,” McGraw said.

The guidance OCR is developing will help sort out these questions. In the meantime, regarding social media use by covered entities, McGraw advises covered entities to “Make sure [when you’re using social media] to pay attention to permitted uses and disclosures, and the circumstances under which you need authorization from the individual in order to disclose what would be PHI — which has a very broad definition — on a publicly available social media page,” Medpage Today reported.

Share Article: