HHS Leadership Post Picks: Sizing Up the ImpactExperts Analyze How New Leaders Will Prioritize Security Matters
Little by little, the Trump administration is filling key leadership positions in the Department of Health and Human Services that can have an impact on privacy and security issues.
See Also: DevOps - Security's Big Opportunity
The Senate on March 13 confirmed Seema Verma as administrator of the Centers of Medicare and Medicaid Services. Meanwhile, Scott Gottlieb, M.D., awaits Senate approval as the new commissioner of the Food and Drug Administration.
During her confirmation hearing, Verma mentioned that she believes electronic health records have yet to live up to their promise, the news site Politico reports. CMS administers payments to healthcare providers participating in the HITECH Act electronic health records "meaningful use" financial incentive program.
Verma was founder and CEO of SVC, a health policy consulting firm based in Indiana. She worked heavily on Medicaid reform in that state under former governors Mitch Daniels and Mike Pence, Trump's vice president.
Gottlieb, President Trump's pick to lead the FDA, is a resident fellow at the American Enterprise Institute, a think tank, where he studies the FDA and CMS. He was the FDA's deputy commissioner for medical and scientific affairs from 2005 to 2007 in the George W. Bush administration.
Over the last three years, the FDA has been heavily pushing to get manufacturers and healthcare organizations to pay more attention to the cybersecurity of medical devices (see FDA: Dispelling Medical Device Cybersecurity Myths).
Meanwhile, the Trump administration has yet to announce its selections for leaders of the two HHS units that have the biggest impact on data security and privacy matters - the Office for Civil Rights and the Office of the National Coordinator for Health IT.
Those appointments will be made by new HHS Secretary Tom Price, M.D., who was confirmed by the Senate a few weeks ago. Price, a physician, formerly was a Republican congressman from Georgia. It's not yet clear where he stands on important health data security issues.
"Secretary Price comes into office with a reputation of opposing government regulatory activity, which impacts the day-to-day relationship between physicians and patients," notes privacy attorney David Holtzman, vice president of security consulting firm Cynegistek.
"We will all be watching for indications of how he views the HIPAA privacy and security rules," he says. "Will the secretary look at them as infringing on the ability of physicians to practice medicine? Will the new secretary view the HIPAA Breach Notification Rule as burdensome? Does he see Office for Civil Rights' enforcement of the health information privacy standards through levying monetary fines and compelling corrective action as being too punitive?"
Price and Verma have broad authority to make significant changes in policies and priorities for health information privacy and security as well as the development and standardization of EHRs, Holtzman notes.
"Secretary Price has been a vocal critic of the [HITECH] Meaningful Use program, calling the reporting requirements and oversight burdensome on physicians. He questions how the data being collected and reported by physicians is actually contributing to the quality of care," Holtzman says. Instead, Price believes that the government should focus on improving the interoperability of health IT to ease data exchange, he adds.
Price will help set the tone on privacy and security with his picks of a new director of OCR - which oversees HIPAA enforcement - and a new national coordinator for health IT, the office that oversees policies and standards related to EHRs and other health IT under the HITECH Act. That includes, for instance, a requirement that healthcare entities attest to conducting a security risk analysis of their EHR data.
Staying the Course?
Privacy attorney Kirk Nahra of the law firm Wiley Rein hopes the new HHS leadership team will stay the course set by their Obama administration predecessors when it comes to security and privacy matters.
"For the most part, I don't see these issues as being ones where there is a real need to change," he says. "Generally these efforts are being done well now. OCR, in particular, doesn't really need to change - they have good people in charge who really know what they are doing."
John Halamka, CIO of Beth Israel Deaconess Healthcare also predicts that not much is likely to change in the direction HHS takes health data privacy and security issues.
"Through various conversations with academic and government leaders, I have confirmed that the advice I've given since the election still holds true: Regulation and legislation regarding privacy is unlikely to change anytime soon and the civil servants enforcing those requirements - below the secretary level - have not changed," he says. Additionally, "the 21st Century Cures Act contains new directives for HHS and that work should be watched."
However, healthcare attorney Steven Teppler of the law firm Abbott Group fears that the deregulation theme of the Trump administration could ultimately deter OCR's aggressive enforcement of HIPAA. He's concerned that the new leader of OCR may not keep up that pace of enforcement, which has included a number of multimillion dollar HIPAA settlements over the last two years.
"There's likely to be less enforcement until something bad happens, and then they'll pay lip service," he contends.
Watered Down Authority?
Some industry players have been pushing HHS to water down ONC's regulatory authority over health IT.
For instance, in a letter sent to Price on March 13, Health IT Now - a coalition of patient groups, provider organizations, employers and payers, asked for the Trump administration and Congress to work with industry stakeholders "to clarify what role and to what extent ONC should play in the overall regulation of health information technology, and how such a role would interact with other regulatory agencies."
The group notes: "We believe recent actions by ONC may have overstepped original authorities provided under the HITECH Act." For example, the group says a proposal calling for ONC to directly review certified and non-certified health IT products for patient safety concerns "encroaches on the statutorily required regulatory authority of other federal agencies, specifically the FDA."