2018 HIPAA Changes and Enforcement Outlook

Are there likely to be major 2018 HIPAA changes? What does this year have in store in terms of new HIPAA regulations? OCR Director Roger Severino has hinted there could be some 2018 HIPAA changes and that HIPAA enforcement in 2018 is unlikely to slowdown.

Are Major 2018 HIPAA Changes Likely?

The Trump administration has made it clear that there should be a decrease rather than an increase in regulation in the United States. In January 2017, Trump signed an executive order calling for a reduction in regulation, which was seen to be hampering America’s economic growth. At the time Trump said, “If there’s a new regulation, they have to knock out two. But it goes far beyond that, we’re cutting regulations massively for small business and for large business.”

While Trump was not specifically referring to healthcare, it is clear we are currently in a period of deregulation. Trump’s words were recently echoed by Severino at the HIMSS conference who confirmed the HSS understands deregulation in some areas is required before further regulations can be introduced.

Therefore, there are unlikely to be major 2018 HIPAA changes, at lease not in terms of increased regulation. What is more likely is an easing of the administrative burden on healthcare organizations in 2018.

OCR is currently reviewing existing HIPAA regulations to determine whether all aspects of HIPAA Rules are still relevant and if there are any areas where the administrative burden on healthcare organizations can be eased. OCR is looking at the benefit of various provisions of HIPAA and whether those benefits outweigh the costs.

The HHS has said its goals are “reducing the burden of compliance” and “streamlining its regulations,” while promoting “meaningful information sharing”.

2018 HIPAA changes could make life simpler for many healthcare organizations as the HHS attempts to minimize duplication and burdensome requirements and eliminate outdated restrictions and obsolete regulations.

HIPAA Enforcement in 2018

In 2016 there was a significant increase in HIPAA enforcement activities by OCR with more settlements reached with covered entities and business associates than any other year since the HIPAA Enforcement Rule was signed into law. In 2016 there were 12 settlements and one civil monetary penalty issued and 2017 HIPAA settlements were well above average levels, with 9 settlements and one civil monetary penalty. So, what can we expect for HIPAA enforcement in 2018?

At HIMSS 2018, Roger Severino gave a presentation on HIPAA compliance, enforcement, and policy updates from the Office for Civil Rights and made it clear OCR will continue to pursue settlements with HIPAA covered entities for egregious violations of HIPAA Rules. Severino said OCR still has the same enforcement mindset and that there will be “no slowdown in our enforcement efforts,” and “we’re still looking for big, juicy, egregious cases.” That does not necessarily mean large healthcare organizations. OCR treats potential HIPAA violations on a case by case basis, and smaller healthcare organizations may similarly be punished if they are discovered to have violated HIPAA Rules.

Severino said OCR does not want to fine healthcare organizations for violating HIPAA Rules and wants the settlements to reduce, but for that to happen, healthcare organizations must improve their compliance programs. 2018 HIPAA enforcement is likely to continue to see financial penalties issued for common HIPAA violations such as the failure to conduct regular risk assessments.  Already, 2018 has seen two settlements announced. A $100,000 penalty for Filefax, Inc., and a $3,500,000 settlement with Fresenius Medical Care North America. Time will tell if this was a blip or if that pace will be maintained throughout the year.

OCR is not the only enforcer of HIPAA Rules. State attorneys general can also issue fines for HIPAA violations, and the New York AG has been active in this area in recent weeks, fining EmblemHealth $575,000 in March and Aetna $1,150,000 in January. Further financial settlements are likely to be pursued in NY and other states to resolve HIPAA violations and privacy and security-related breaches of state laws.

The GDPR Compliance Deadline is Fast Approaching

American healthcare organizations with patients, customers, or partners in Europe – and business associates that also work in Europe – are required to comply with the EU General Data Protection Regulation (GDPR) in 2018.

Compliance with GDPR is mandatory for all companies doing business with EU nationals. The compliance date is May 25, 2018. Companies that fail to comply with GDPR can face stiff financial penalties. Violations of GDPR are punishable with a fine of up to 20,000,000 Euros ($23,138,200) or 4% of the company’s annual global turnover, whichever is higher.

There is some overlap between GDPR requirements and those of the HIPAA Privacy and Security Rules, so compliance with GDPR will be easier for U.S. healthcare organizations than other U.S. businesses. However, compliance with GDPR is no guaran tee of compliance with GDPR.

You can read more about GDPR compliance for US companies here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.