HIPAA Enforcement: A Look AheadWill Health Data Privacy, Security Remain High Priorities for OCR?
So, what's next for the Trump administration's handling of health data privacy and security issues now that the 100-day milestone has been reached?
See Also: Passwords Alone Aren't Enough
So far, despite the overall anti-regulatory tone of the new administration, it appears that enforcement of HIPAA is moving along at the same or perhaps even a slightly more aggressive pace than what was taken by the Department of Health and Human Services under the Obama administration.
"Congress established OCR to adapt to new technology - and to protect it."
In one of his first speeches, Roger Severino, who last month took on the job of director of HHS's Office for Civil Rights, promised to keep HIPAA privacy and security enforcement a top priority.
"I came into this job with an enforcement mindset," Severino said on April 27 during a session at the Health Datapalooza conference in Washington, according to HealthcareITNews. "Congress established OCR to adapt to new technology - and to protect it."
But will that mindset continue? A lot likely depends on the resources OCR gets for fiscal 2018. The staff has been stretched thin in recent years, especially as OCR has been digesting the findings of more than 200 HIPAA compliance audits of covered entities and business associates. Plans to launch a smaller number of more comprehensive audits in early 2017 have already been delayed until later this year. And who knows if that will even happen?
Privacy attorney David Holtzman, the vice president of compliance at security consulting firm CynergisTek who formerly was a former senior policy adviser at OCR, notes that so far this year, in terms of enforcement actions taken by OCR, the agency could break its aggressive record of 2016, which included 12 settlements and one civil monetary action - not to mention the relaunch of audits.
"OCR has continued its stepped-up enforcement of the HIPAA privacy, security and breach notification rules. Thus far in 2017, the agency has announced negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business associates paying over $14.3 million," he says.
"In all but one of these cases, organizations have also been saddled with multiyear corrective action plans in which HHS will exercise oversight of their compliance with the HIPAA standards. At this pace, OCR will eclipse its record-setting performance of 2016, in which there were 13 formal enforcement actions that had covered entities and business associates paying $23.5 million in fines and penalties for HIPAA violations."
But it's still unclear how the Trump administration will handle bigger-picture health data privacy and security issues.
"I believe it is important to distinguish between broader policy decisions and the day-to-day operations of the department's mission," he says. "While we have not seen evidence of how administration policy on health data security and privacy issues will develop, there is ample evidence that it is business as usual in OCR's administration of the HIPAA privacy and security standards."
While meeting HIPAA compliance requirements doesn't necessarily equal the kind of robust security efforts needed to effectively safeguard data - including data that goes beyond patients' protected health information - OCR's recent enforcement ramp-up likely will help nudge security laggards out of their complacency.
But it's also important to remember that the OCR enforcement actions we're seeing have been in the works for years. Looking ahead, will OCR be spending less time investigating major breaches that get reported now? Let's hope not.
Here's an updated look at the sobering breach stats: As of April 28, there were 1,921 major breaches affecting nearly 173.4 million individuals reported to OCR since September 2009, according to HHS' "wall of shame." And to date, OCR has issued 47 HIPAA settlements and two civil monetary penalties.
So, while there's been an a slight uptick in the number of enforcement actions taken by OCR over the last year or two, the reality is that there are still slim odds that you'll end being smacked with a financial penalty related to a breach.
And the odds could grow even slimmer if OCR finds itself with a barebones budget for fiscal 2018. President Trump has proposed big cuts to HHS' overall budget for the next fiscal year beginning on Oct. 1, and he has also instructed federal agencies to plan reducing their workforces near term.
In the meantime, OCR likely will keep picking and choosing cases for settlements that highlight common mistakes entities make in safeguarding patient information. Plus, the HIPAA enforcement agency will continue to release guidance that addresses confusing and critical security and privacy issues.
Hopefully, the healthcare sector will continue to learn from these cases and guidance and make it a higher priority to bolster their overall risk management programs to better safeguard all data against evolving threats.