Health Privacy, Security Priorities in Biden AdministrationSizing Up What's Ahead for Regulatory Action, HIPAA Enforcement
Look for the Biden administration to put health data privacy and security on the front burner next year.
As attorney general for California, U.S. Department of Health and Human Services Secretary Designate Xavier Becerra developed a track record as a proponent of consumer privacy initiatives. Most recently, his office developed and implemented the regulations for the roll-out of the California Consumer Privacy Act. He also took an active role in new laws addressing privacy and security aspects for direct-to-consumer genetic testing and testing companies.
Be on the lookout for action by the incoming HHS secretary to address the calls by some for stronger consumer privacy and security standards.
So, if he's confirmed as HHS secretary, Becerra could lead the charge on privacy and security issues on the national level.
If past history is a guide, however, the new administration likely won't appoint a new director for the HHS Office for Civil Rights, which enforces HIPAA, until late in 2021. In the meantime, the director role will likely be filled on an acting basis with senior career leaders in the agency.
Here's a look at what's likely to be on OCR's agenda in 2021.
The 21st Century Cures Act's information blocking and interoperability regulations require healthcare providers and health plans to provide patients quick access to their health information through third-party mobile or internet software applications. The applications that are selected by patients to access their health information are not subject to HIPAA's privacy and security standards.
The regulations make it much more difficult for covered entities to exercise discretion when requested to disclose patient information to third parties.
Current OCR Director Roger Severino appeared to be largely on the sidelines during the development and implementation of the information blocking and interoperability regulations.
HHS' Office of the National Coordinator for Health IT and the Centers for Medicare and Medicaid Services' adoption of standards undercut the HIPAA Privacy Rule's standards for disclosure of protected health information while expanding an individual's rights to access their health information.
OCR recently announced proposed modifications to the HIPAA Privacy Rule that adjust patient access to PHI. The proposals also would loosen standards for when a covered entity could disclose patient information without first obtaining authorization while removing caps that place limits on the scope of the data disclosed under the privacy rule.
I expect these recent proposals to modify the HIPAA Privacy Rule to undergo a long period of review, with further modifications likely. It's possible that OCR's proposed modifications to HIPAA could be withdrawn if the Biden administration issues a blanket withdrawal of all proposed rulemaking.
Also, the April compliance dates for the information blocking and interoperability regulations could be further delayed due to the ongoing coronavirus public health emergency.
In the meantime, be on the lookout for action by the incoming HHS secretary to address the calls by some for stronger consumer privacy and security standards, as well as requirements to account for how third-party apps used by consumers to collect their data from healthcare providers and health plans share patients' health information.
Look for 2021 to be a year when OCR continues to exercise its HIPAA enforcement muscle - but not at the pace seen in 2020.
OCR has been on a tear, settling 20 cases in 2020 with resolution agreements and corrective action plans.
Thirteen of these enforcement actions have cited violations of the Privacy Rule's standards requiring healthcare providers give individuals access to or copies of their health information.
The other settlements involve unauthorized disclosure of health information - breaches - whose root cause was found to be a failure to comply with various provisions of the Security Rule's requirements to safeguard protected health information.
Over the years, OCR has collected more than $130 million in HIPAA penalties from covered entities and business associates. And behind the scenes, the agency has closed hundreds of other compliance reviews that forced organizations to take actions to update their compliance policies or safeguards for protecting health information.
The common denominator for many of the cases in which there was a settlement was that the organization suffered one or more breaches affecting more than 500 individuals.
The enforcement actions came about when investigations into the root cause of the breach found systemic, often profound, failures of organizational programs to safeguard protected health information. And most often cited was failure to perform an information security risk assessment or to have a risk management plan to address gaps in the safeguards for information systems - required actions under the HIPAA Security Rule.
While OCR has enjoyed bipartisan support from Congress in holding healthcare organizations accountable for their failure to have adequate safeguards in place to protect patient information from unauthorized disclosures, efforts to excuse some healthcare entities from compliance reviews and enforcement actions are gaining steam.
A last-minute flurry of pre-holiday Congressional activity resulted in the passage of legislation that amends the HITECH Act to require OCR to take into consideration when making compliance reviews, regulatory audits or enforcement actions whether a covered entity or business associate has implemented viable security practices, such as use of the NIST Cybersecurity Framework (see: Bill Spells Out New Factors to Weigh in Setting HIPAA Fines).
HHS rulemaking will be required to implement the legislation that is sure to change the landscape of future enforcement and compliance audit efforts.
In 2016 and 2017, OCR conducted HIPAA compliance audits of approximately 166 covered entities and 41 business associates, measuring how organizations had adopted policies and performed processes on selected provisions of the HIPAA privacy, security and breach notification rules.
But OCR didn't publish its audit findings until Dec. 17 of this year.
Although the HITECH Act mandates OCR to conduct audits for HIPAA compliance, there have been no such audits since 2017.
Look for OCR to consider a reboot of the audit program first by looking for a contractor to handle the demands of examining HIPAA compliance. We could see a new and improved permanent audit program launched late in the year or early 2022.