Will HHS Secretary Tom Price Ease HIPAA Regulations?

Tom Price was appointed as secretary of the Department of Health and Human Services on February 10, 2017, replacing Sylvia Matthews Burwell. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities of the Office for Civil Rights.

The appointment of a new director for the Office for Civil Rights may not be first on Price’s to do list, although the new HHS secretary is expected to appoint a new OCR director soon. Price’s leadership and choice of OCR director could have a major impact on how OCR enforces HIPAA Rules and how rigorous those enforcement activities are.

Since taking up the position of OCR Director in July 2014, Jocelyn Samuels oversaw a major increase in HIPAA enforcement activity. Last year, Jocelyn Samuels announced 12 settlements (and one CMP) with covered entities who were discovered to have violated HIPAA Rules during investigations into data breaches – a record year of enforcement for OCR.

Jocelyn Samuels also oversaw the second phase of the much delayed second phase of HIPAA compliance audits. Last year, the audits finally commenced with approximately 200 covered entities and HIPAA business associates subjected to a HIPAA compliance desk audit. Full compliance audits have been scheduled for early 2017 as part of the second phase. Samuels was keen to increase financial penalties for HIPAA violators and ensure non-compliance was identified and corrected, but the leadership changes place future HIPAA enforcement in doubt.

However, given the number of data breaches experienced by the healthcare industry in the past 12 months, it seems unlikely that OCR enforcement efforts will be scaled back.

“As 2016 has seen an acceleration in the number of breaches to patient data, we expect healthcare cybersecurity and privacy protection will be a central focus of the incoming administration.  We hope to see a much-needed focus on keeping patient data protected and out of the hands of criminals and malicious insiders,” says Robert Lord, ICIT Fellow and CEO of Protenus.

Could HIPAA Rules be Amended by Price?

HIPAA Rules are viewed by many physicians to be overly restrictive. Tom Price is a physician, and as such, he will be well aware of the burden on doctors to comply with HIPAA regulations. While it is not clear where Price stands on the Privacy, Security, and Breach Notification Rules, he has previously advocated the easing of Meaningful Use burdens by extending the timeline for compliance with the financial incentive program. How his past role as a physician will affect his decisions as HHS secretary remains to be seen.

An update to the HIPAA Security Rule is certainly due, although President Trump has made it quite clear that his administration is against excessive regulation. For each new regulation issued by an agency, two regulations need to be eliminated. The increase in healthcare cybersecurity breaches may warrant an update to the Security Rule and increased regulation, but for the foreseeable future, increased HIPAA regulations are perhaps not to be expected.

Any easing of HIPAA Rules is likely to have a negative effect on data security. Since many healthcare organizations focus their cybersecurity programs toward achieving compliance with HIPAA, any easing of HIPAA restrictions could see cybersecurity efforts scaled back. If covered entities are required to do less to keep data secure, this would likely lead to an increase in healthcare data breaches. HIPAA Rules may therefore remain unchanged for the foreseeable future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.