New Secretary of HHS and HIPAA Changes

On February 10, 2017, Tom Price was appointed as secretary of the Department of Health and Human Services on February. He has replaced Sylvia Matthews Burwell, who held the post for three years. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities of the Office for Civil Rights.

The appointment of a new director for the Office for Civil Rights may not be a high priority for the new Secretary, although he is expected to appoint the new director soon. Price’s leadership and choice of OCR director could have a major impact on how OCR enforces HIPAA Rules, and rigorous those enforcement activities are.

Since taking up the position of OCR Director in July 2014, Jocelyn Samuels oversaw a major increase in HIPAA enforcement activity in comparison to previous years. in 2016 alone, Jocelyn Samuels announced 12 settlements (and one CMP) with covered entities who were discovered to have violated HIPAA Rules during investigations into data breaches. This is a record year of enforcement for OCR.

The former secretary also oversaw the much delayed second of HIPAA compliance audits. Last year, the audits finally commenced with approximately 200 covered entities and HIPAA business associates subjected to a HIPAA compliance desk audit. Full compliance audits have been scheduled for early 2017 as part of the second phase. Jocelyn Samuels had expressed interest in increasing the financial penalties for those in violation of HIPAA legislation, and to ensure non-compliance was identified and corrected. The leadership changes derail these plans, and the future HIPAA enforcement is in doubt.

However, given the number of data breaches experienced by the healthcare industry in the past 12 months, it seems unlikely that OCR enforcement efforts will be scaled back. Robert Lord, ICIT Fellow and CEO of Protenus, has said; “As 2016 has seen an acceleration in the number of breaches to patient data, we expect healthcare cybersecurity and privacy protection will be a central focus of the incoming administration.  We hope to see a much-needed focus on keeping patient data protected and out of the hands of criminals and malicious insiders.”

Many in the healthcare industry, from physicians to hospital staff, view HIPAA Rules as overly restrictive and an impediment to their work as healthcare professionals. Tom Price, a physician himself, will be aware of the burden on doctors to comply with HIPAA regulations. While it is not clear where Price stands on the Privacy, Security, and Breach Notification Rules, he has previously advocated the easing of Meaningful Use burdens. He stated that this could be done by extending the timeline for compliance with the financial incentive program. How his past role as a physician will affect his decisions as HHS secretary remains to be seen.

Although an update to the HIPAA Security Rule is due, President Trump has made it clear in his previous addresses that his administration is against excessive regulation. For each new regulation issued by an agency, two regulations need to be eliminated. The increase in healthcare cybersecurity breaches may warrant an update to the Security Rule and increased regulation, but for the foreseeable future, increased HIPAA regulations are perhaps not to be expected.

Any easing of HIPAA Rules is likely to have a negative effect on data security. Since many healthcare organizations focus their cybersecurity programs toward achieving compliance with HIPAA, and these programs can be costly to maintain, any easing of HIPAA restrictions could see cybersecurity efforts scaled back. If covered entities are required to do less to keep data secure, this would likely lead to an increase in healthcare data breaches. HIPAA Rules may therefore remain unchanged for the foreseeable future.