The Trump administration likely will continue "reasonable enforcement" of HIPAA, following the same strategy as the Obama administration, predicts privacy and security attorney Kirk Nahra.
"We're going to watch to see whether we're going to have continued [HIPAA] enforcement ... continued budget support for [the privacy and security related activities of] the Office for Civil Rights, Office of the National Coordinator for Health IT and Federal Trade Commission," Nahra says in an interview with Information Security Media Group.
"I think we will continue to see reasonable enforcement, [but] I wouldn't expect to see a ramping up of enforcement," he says. "We will see enforcement in the thoughtful, responsible way that ... the Office for Civil Rights has done for many years."
A leftover issue that the Obama administration did not address, Nahra says, is the security of emerging technologies that are generating, transmitting or collecting health data. These devices, such as mobile apps, are not covered under HIPAA.
"The HIPAA rules were written from a statute in 1996 and went into effect in the early 2000's. They focused on a very traditional view of healthcare - doctors, hospitals, pharmacies and health insurers," he explains. "But what we've seen over the last decade is vast growth in the places and the entities that are ... collecting, creating, using and disclosing healthcare information. You see wearables, mobile apps, all kinds of websites, wellness programs - a variety of places where healthcare information is being used, gathered and disclosed that are not subject to the HIPAA rules."
The Obama administration recognized this issue, Nahra notes. "But there wasn't much progress in actually doing something about that. I expect that problem to continue over the next few years, but I'm not sure it's an issue that will percolate in this next administration. So, we will continue to see lots of healthcare information being used, collected and gathered in ways that are not regulated by the HIPAA rules, largely meaning they are unregulated."
In the interview, Nahra also discusses:
- The health data privacy and security accomplishments and disappointments of the Obama administration;
- Emerging privacy and cybersecurity challenges that the Trump administration will face;
- The data privacy aspects of an update to the Common Rule that was issued in the last days of the Obama administration, and why the rule might not go into effect under the Trump administration. The rule is intended to protect those participating in medical research projects.
As a partner at the law firm Wiley Rein, Nahra specializes in privacy and information security issues, as well as other healthcare, insurance fraud and compliance issues. He's a member of the board of directors of the International Association of Privacy Professionals and was co-chair of the Confidentiality, Privacy and Security Workgroup, a former panel of government and private-sector privacy and security experts advising the American Health Information Community.