The Final HIPAA Actions Under Trump AdministrationPrivacy Rule Revisions Prepared; Enforcement Tied to COVID-19 Vaccine Scheduling Eased
On the final full day of the Trump administration, the Department of Health and Human Services Tuesday prepared to publish proposed changes to the HIPAA Privacy Rule this week. Plus, it revealed plans to ease off on HIPAA enforcement when organizations use certain web-based applications to schedule COVID-19 vaccinations.
The HHS Office for Civil Rights submitted for publication on Thursday in the Federal Register a 93-page notice of proposed rulemaking for modifications to the HIPAA Privacy Rule.
The proposed changes – first announced in December - aim to improve information sharing for care coordination and strengthen individuals' rights to access their own health information.
“What remains to be seen is whether the new administration will issue a final rule based on the notice of proposed rulemaking, or issue a supplemental NPRM with different proposals” to modify HIPAA, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine, a former HHS OCR senior adviser during the Obama administration.
The proposed changes to HIPAA “are pretty bipartisan, so I expect that the new administration will proceed with a final rule, but likely not until next year at the earliest,” he says.
OCR will accept public comment on the proposed changes until March 21. The agency is then expected to review the feedback before moving forward with the next steps in final rulemaking.
The proposed HIPAA changes would give more flexibility to healthcare providers in making decisions to share patient information - such as about opioid abuse or COVID-19 treatment - with family members in situations involving "serious and foreseeable" threats, rather than the current "serious and imminent" threat standard.
HIPAA Enforcement Decision
Under a “notification of enforcement discretion” issued Tuesday, OCR says it will use discretion in enforcing HIPAA rules when non-public facing web-based scheduling applications are used “in good faith and only for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the … nationwide public health emergency.”
March Bell, who took on the role of acting OCR director last Friday after the departure of Roger Severino, notes: “OCR is using all available means to support the efficient and safe administration of COVID-19 vaccines to as many people as possible.”
Greene, the attorney, observed: ”I appreciate the effort to facilitate vaccine delivery as quickly as possible, trying to remove HIPAA administrative requirements as an obstacle."
In April 2020, HHS announced similar HIPAA enforcement discretion for “good faith” uses and disclosures of protected health information by business associates for public health-related activities during the coronavirus crisis (see: COVID-19 Crisis Triggers More HIPAA Policy Changes).
In a statement Tuesday, OCR highlighted some of its accomplishments during the Trump administration.
From March 2017 through January 2021, OCR completing 48 HIPAA enforcement actions requiring corrective actions as well as imposing penalties totaling $68 million.
The costliest settlement - $16 million – was with health insurer Anthem following a 2014 data breach that affected nearly 79 million individuals.
A top HIPAA enforcement priority over the last two years, however, was issuing sanctions for cases involving violations of patients’ right to gain timely access to their health records. To date, OCR has completed 14 such enforcement actions.
OCR’s proposed changes to the HIPAA Privacy Rule include reducing from 30 days to 15 days the time allotted to covered entities to respond to patients’ requests for copies of their health records.
Some privacy experts note that the Trump administration’s HHS OCR enforcement continued at a similar pace as under the Obama administration. The biggest change was the emphasis on the HIPAA right of access provision, Greene notes.
“Some long-gestating policy guidance, such as with respect to texting and social media, did not get published, and some HITECH requirements continue to collect dust, such as changes to accounting of disclosures, distribution of settlement/penalty amounts and ‘minimum necessary’ guidance,” he says. “But OCR did a really great job quickly putting out guidance and notices of enforcement discretion in response to the pandemic.”
Privacy attorney Iliana Peters of the law firm Polsinelli, a former OCR senior adviser during the Obama administration and a HIPAA investigator during the George W. Bush administration, offers a similar assessment.
“The HIPAA policy and enforcement work that OCR undertook during the Trump administration was generally consistent with that of previous administrations, and what I would expect to continue into the Biden administration, given the bipartisan nature of data privacy and security generally, and HIPAA specifically,” she says.
“I hope that the next administration opens the door again to conversations with regulated entities regarding OCR’s approach to implementation of the HIPAA rules, particularly with regard to security incidents and other novel issues, and to additional guidance on important HIPAA matters beyond the opioid crisis and the public health emergency that such entities face every day.”
Regulatory attorney Paul Hales of the Hales Law Group notes that a ruling last week by the 5th Circuit U.S. Court of Appeals in Louisiana vacating a $4.3 million civil monetary action against the University of Texas MD Anderson Cancer Center in a case involving three data breaches creates potential enforcement obstacles for HHS OCR.
The court’s decision “illuminated flaws in the HIPAA rules,” he says. OCR will need to “thoroughly review and revise as necessary, key elements of the rules,” he adds.
“This will be a huge, time-consuming undertaking for the Biden administration. Quick appointment of a strong OCR director to lead this process is essential. But that may be delayed because HHS has so many COVID-19 related priorities to address.”
Greene adds: “The M.D. Anderson ruling really forces OCR to reconsider its entire enforcement approach and may lead to more financial enforcement and less voluntary compliance. Essentially, OCR was acting like a police officer who lets many speeding cars pass and occasionally pulls one over to write a ticket and show other motorists that the police are out in force. The court essentially stated that OCR should be acting more like a speed camera, providing tickets to everyone much more consistently.”