What's in Store for HIPAA Under New OCR Leadership?Attorney Kirk Nahra Sizes Up Likely Privacy, Security Direction
What's in store for health data privacy and security initiatives in the Trump administration, now that a new leader for the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, has been selected? Healthcare attorney Kirk Nahra, a regulatory expert, offers an assessment.
Last week, the Trump administration named Roger Severino to head OCR. Severino most recently was director of conservative think-tank Heritage Foundation's DeVos Center for Religion and Civil Society, Institute for Family, Community. Previously, he was a trial attorney for seven years in the Department of Justice's Civil Rights Division.
Severino's apparent lack of experience in dealing with health data privacy and security issues is not unusual for someone chosen to head OCR, Nahra, a privacy attorney at law firm Wiley Rein LLP, notes in an interview with Information Security Media Group. In fact, Jocelyn Samuels, who left her job as OCR director in January, also came to the office with a background in civil rights work, rather than in the privacy and security arena.
OCR's role enforcing civil rights principles predates its role as HIPAA enforcer, Nahra points out. "So you have a situation where you have some very different laws being enforced by the same unit of HHS. ... So, you could have someone [as OCR director] with a civil rights background, you could have someone with a privacy background, you could try to find someone with both backgrounds - but that's a much more limited pool."
Under Samuels leadership, OCR did see an increase - but not a major "paradigm shift" - in HIPAA enforcement activities, including settlements stemming from breach investigations, Nahra notes.
But will OCR shift its priorities under new leadership? Nahra says it's too soon to tell.
"The administration to my knowledge has never spoken about HIPAA privacy and security - it's not a first-tier priority for the administration, it's not a second-tier priority, and I'm not sure it's an any-tier issue at this point," he says. "They've appointed somebody for whom HIPAA privacy and security has not been an issue in the past."
Nahra says that despite the recent failure to repeal and replace the Affordable Care Act, also known as Obamacare, "I don't think the issue of healthcare is going away. I expect one of the results of that activity is that a lot of the attention of the Trump administration on the healthcare field broadly is going to [remain] focused on the idea of repeal and replace, and so there isn't going to be that much attention focused on something like privacy issues under HIPAA, because that's just not a high priority item in any direction for the administration," he predicts.
In the interview (see audio player below photo), Nahra also discusses:
- Whether the political and personal views of new Trump administration leaders, including Severino, could potentially impact HHS' health data privacy and security actions;
- Important privacy and security related regulatory and legislative issues to watch in 2017;
- The significance of recent settlements between New York state's attorney general and three mobile health application vendors over misleading marketing and privacy practices (see NY Deals With App Vendors Could Fuel More Privacy Actions).
As a partner at the law firm Wiley Rein LLP, Nahra specializes in privacy and information security issues, as well as other healthcare, insurance fraud and compliance issues. He's a member of the board of directors of the International Association of Privacy Professionals and was co-chair of the Confidentiality, Privacy and Security Workgroup, a former panel of government and private-sector privacy and security experts advising the American Health Information Community.