Trump's First 100 Days: Assessing Health Data Privacy, SecurityAnalysis: What's Been Achieved So Far, and Where Things Could Be Headed
As President Trump approaches day 100 of his presidency April 29, it's time to assess the impact of his administration so far on health data privacy, security and related health IT issues. Do we have any more clarity now than we did when he took office in January?
So far, when it comes to enforcement activities related to the HIPAA security, privacy and breach notification rules, the Department of Health and Human Services' Office for Civil Rights appears to be on the same path it was on during the last year or so under the Obama administration.
In 2016, OCR issued 12 HIPAA resolution agreements, plus one civil monetary penalty. That was a record for the agency. But so far in 2017, the pace seems to be pretty much the same: As of April 26, OCR had issued seven HIPAA resolution agreements in this year - five of those issued after Trump took office on Jan. 20. At this same time last year, OCR had issued six HIPAA enforcement actions.
But keep in mind that new OCR Director Roger Severino only joined the HHS team about a month ago, and most of OCR's key enforcement leaders now reporting to Severino are seasoned career staff, including Deven McGraw, OCR's deputy director of health information privacy, who's been at the agency since June 2015, but has been a privacy attorney and advocate for many years.
It's also worth noting that most OCR HIPAA settlements take a long time to work out. Most start with a breach report or complaint that gets investigated by regulators, and that process - including negotiating resolution agreements and corrective action plans - can take a few years.
Just this week, OCR issued a $2.5 million settlement with remote heart-monitoring firm CardioNet related to a data breach reported in 2012.
"I don't think we really have any meaningful idea of any big picture issues related to privacy and security enforcement," says attorney Kirk Nahra of the law firm Wiley Rein. "That's not surprising at all - it wasn't a topic of any campaign rhetoric at all, and it isn't an area where there are any obvious needs for change - including no broad-based demand by industry for change."
Right now, we don't have many specifics about Trump's proposed fiscal 2018 budget for HHS agencies, including OCR or the Office of the National Coordinator for Health IT, which oversees standards and policies of certified electronic health records, including secure and interoperable data exchange issues.
Trump released his proposed "skinny" fiscal 2018 budget in March, but that document was, indeed, slim on details. What we do know is that Trump proposes to slash the HHS budget by $15.1 billion, or nearly 18 percent, to $69 billion. Also, Trump reportedly issued a 14-page memo earlier this month that instructs federal agencies, including those in HHS, to "begin taking immediate actions to achieve near-term workforce reductions," according to Politico.
Big cuts to OCR's budget could potentially hurt the already resource-strained agency and force it to put enforcement activities on the back burner once fiscal 2018 begins on Oct. 1. Those activities include OCR's plans to conduct a limited number of on-site HIPAA compliance audits.
OCR had originally planned to conduct those reviews during the first quarter of 2017, but in an interview in February, McGraw said the timeline got pushed to later this year. If OCR finds itself with a smaller staff come fall, it's possible the onsite audits, as well as plans for a variety of new guidance and regulations, could get put on indefinite hold.
Trump in January signed an executive order putting executive branch departments and agencies on a regulation diet. The order instructs agencies and departments to identify for elimination two existing regulations for every single new regulation that's proposed. So we'll also have to wait and see what happens to HHS plans for issuing regulations that were supposedly in the pipeline. For instance, the 21st Century Cures Act signed into law late last year calls for ONC to flesh out details around health data exchange.
"I don't foresee any particular new HIPAA regulations coming out in the short term, although the 'two-for-one' [executive order] may be the final nail in the coffin for a few holdover HITECH Act regulations that haven't yet been issued," Nahra notes. "The one area where the current administration's anti-regulation philosophy might affect policy is on the HIPAA Accounting of Disclosures Rule, where there was substantial opposition by industry to the regulatory proposal from several years ago."
Broader health IT issues are a bit more complicated, Nahra notes. "There are some opportunities to simplify regulations and separate instructions coming from the 21st Century Cures Act and other places. These issues are pointing in multiple directions. They also are really hard," he says. "So, given the likely continued focus on broader healthcare reform, I doubt we will see much in the short term on health IT issues in general, but I would expect that to resurface later this year or in 2018."
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says he doesn't expect changes at HHS that will dramatically impact the mission of OCR or ONC. "There is strong bipartisan support in Congress for the HIPAA privacy and security standards. There is also broad agreement and recognition of the expanding opportunities for better, efficient healthcare in the development of health information technologies," he says.
When it comes to the bigger cybersecurity picture in healthcare, Holtzman says he's also encouraged by media reports that to improve cyber information sharing in the healthcare sector, HHS is planning its own version of the Department of Homeland Security's National Cybersecurity and Communications Integration Center.
"I believe that HHS is turning the corner in recognizing it must develop healthcare-specific solutions for the healthcare sector. The [HHS] center will educate health organizations and consumers about the risks of using mobile applications and data," he says. "Hopefully, the administration will continue to support initiatives like these as opposed to relying on proprietary solutions that are beyond the reach of cash-strapped hospitals and community-based healthcare providers."