HIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means

Since 2009, a provision of the HITECH Act has required HHS to share a percentage of HIPAA civil money penalties and settlements with individuals harmed by the underlying violations. For sixteen years, that requirement has gone unimplemented — because HHS has never established the methodology needed to carry it out. That is beginning to change.

The HITECH Act requirement

Section 13410(c) of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, contains a straightforward but operationally complex mandate: HHS must establish a methodology under which an individual who is harmed by a HIPAA violation may receive a percentage of any civil money penalty or monetary settlement collected with respect to that violation.

The provision was included in the HITECH Act as a recognition that HIPAA enforcement, while generating significant government revenue, did not directly compensate the patients whose privacy was violated. A patient whose medical records were impermissibly disclosed, whose PHI was exposed in a data breach, or who was denied access to their own records received no direct financial remedy from the resulting OCR enforcement action — even if the covered entity paid millions of dollars in penalties.

The HITECH Act was intended to change that. It has not yet done so.

Why implementation has taken so long

The core challenge is definitional. The main problem is identifying the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, as "harm" is not defined by statute.

This is not a simple question. HIPAA violations produce a range of harms across a broad spectrum:

Direct financial harm — Identity theft, fraudulent medical claims, or unauthorized financial transactions resulting from exposed PHI. These are quantifiable but may require extended time to manifest and attribute to a specific breach.

Dignitary and emotional harm — Embarrassment, anxiety, and loss of privacy resulting from the exposure of sensitive health information. These are real but difficult to quantify in dollar terms.

Consequential harm — Employment discrimination, insurance denial, or relationship damage resulting from the disclosure of sensitive diagnoses such as mental health conditions, HIV status, or substance use disorder. These are potentially severe but causally complex to attribute.

No realized harm — In many breach scenarios, affected individuals never experience any tangible negative consequence from the exposure of their PHI. Their data was exposed but was never misused. Should they receive compensation regardless?

Each definitional choice has significant implications for the program's scope and cost. A narrow definition limited to verifiable financial harm would reach relatively few individuals but produce more defensible distributions. A broad definition including dignitary harm could encompass millions of individuals across large breaches but would be administratively complex and potentially invite claims that are difficult to verify.

Where things stand in 2026

OCR is seeking comment on alternative methodologies for sharing funds. The Government Accountability Office has shared a methodology for sharing funds, but OCR is seeking comment on any alternative methodologies. No timescale has been provided for when a Notice of Proposed Rulemaking will be issued in this regard, or when funds will start to be shared with victims of HIPAA violations. These HIPAA changes could occur in 2026, but it could still be several years before this HITECH Act requirement is implemented.

The GAO methodology represents a starting point — a framework developed by the federal government's own investigative arm for how such a program could work operationally. But OCR's request for alternative methodologies signals that it has not committed to the GAO approach and is still considering the design space.

The absence of a proposed rulemaking timeline means this program could move quickly or slowly depending on administrative priorities. Given the Trump administration's deregulatory posture and the operational complexity of the program, a multi-year timeline before implementation seems more likely than action in 2026.

What a victim compensation program would look like in practice

If implemented, the program would fundamentally change the relationship between HIPAA enforcement and the patients it is designed to protect. Here is how it would likely work based on the HITECH Act's requirements and the GAO's proposed framework:

Identification of harmed individuals. For large breaches already reported to HHS, the affected individuals are identified through the breach notification process — covered entities are required to notify them and report their numbers to HHS. For smaller violations or non-breach enforcement actions, identifying affected individuals could require additional investigation.

Determination of harm. A process would need to be established for assessing the harm experienced by each affected individual — potentially through a claims process, administrative review, or standardized compensation schedule based on violation type.

Calculation of distribution. The methodology would determine what percentage of the total penalty or settlement amount would be distributed to harmed individuals in aggregate, and how that amount would be allocated among individuals.

Payment mechanism. HHS would need a mechanism for locating and paying affected individuals — a non-trivial operational challenge for breaches affecting millions of people whose contact information may be outdated.

The implications for OCR enforcement

If implemented, the victim compensation program would significantly change the dynamics of OCR enforcement in several ways:

Increased settlement amounts. If covered entities know that a portion of any settlement will go directly to affected patients — not just to the government — the political and reputational stakes of enforcement increase. Organizations facing enforcement actions may face more pressure to settle quickly and at higher amounts to avoid prolonged proceedings.

Greater patient engagement. Patients who know they may receive compensation from HIPAA violations affecting them have a stronger incentive to file complaints with OCR. This could increase complaint volume — already over 51,000 per year — further straining OCR's investigative capacity.

Changed breach response calculus. Currently, covered entities make breach notification decisions based on regulatory requirements and litigation risk. If notifications trigger compensation claims, the financial exposure from breach notification increases — potentially affecting how organizations approach borderline notification decisions.

New enforcement leverage. OCR could reference the victim compensation dimension when motivating covered entities to settle — "your failure to comply didn't just harm you, it harmed your patients directly" becomes a more concrete argument when those patients may receive payment.

What covered entities should do now

The victim compensation program does not yet exist and may not be implemented for years. But its eventual implementation — which the HITECH Act requires — changes the long-term calculus of HIPAA compliance investment.

The fundamental dynamic the program creates is simple: every HIPAA violation that results in OCR enforcement could eventually produce direct financial compensation obligations to affected patients. The cost of non-compliance is not just the penalty paid to the government — it is the penalty plus a distribution to every harmed individual.

This makes the case for proactive compliance investment stronger, not weaker. Organizations that invest in risk analysis, security controls, workforce training, and breach prevention are not just reducing their regulatory exposure. They are reducing their potential exposure to a future victim compensation regime that the law has required since 2009 and that is slowly moving toward implementation.