So what actions can we expect in 2018 from the Department of Health and Human Services' Office for Civil Rights as it enforces the HIPAA privacy, security and breach notification rules? Making a prediction is difficult, given all the changes at HHS.
The first year of the Trump administration has been rocky for HHS. The early exit of Secretary Tom Price likely delayed some policy and spending decisions. Alex Azar's nomination as HHS secretary looks to be on track for confirmation by the Senate early in the new year.
Azar has experience in the Bush administration as HHS general counsel, followed by a stint as deputy secretary when health IT initiatives began to take hold in the department. Look for Azar to increase attention on initiatives promoting health IT and cybersecurity when he takes the helm.
The new HHS OCR director, Roger Severino, described himself as learning on the job about the agency's role in health information privacy and security. In recent remarks, he said he sees his role as carrying out the Trump administration's mandate to roll back regulations as well as "...shutting down the regulatory state." That could point to OCR taking a lower profile in its enforcement and regulatory action.
Further clouding the picture is the recent departure of Deven McGraw as deputy director of the health information privacy division. This position has had significant influence on the setting of priorities and policy direction. Iliana Peters, the capable senior adviser for HIPAA compliance and enforcement, is pulling double duty as acting deputy director of health information privacy until there is a permanent hire to replace McGraw. Watch for Severino's selection of a health information privacy leader for insight on the direction the office will take on HIPAA privacy and security issues.
Outlook for Policy and Guidance
It's highly unlikely that OCR will issue new regulations that would modify the HIPAA rules. Although the 21st Century Cures Act and the department's own Regulatory Agenda for Fiscal Year 2018 call for OCR to develop rules, the Trump administration mandate to avoid new regulations means OCR will instead produce policy guidance.
Likely areas for additional guidance include initiatives related to sharing electronic health data and patient records as called for in the 21st Century Cures Act. Generally, the goal accentuates the flexibility provided by the HIPAA Privacy Rule to disclose PHI when in the best interest of the patient, when the patient is a minor or if the individual asks for streaming treatment data to be compiled in their personal health record.
Recently, OCR announced the launch of a working group to study and report on the uses and disclosures under HIPAA of protected health information for research purposes. The 21st Century Cures Act mandates that OCR issue guidance in a number of areas that would clear the way under HIPAA Privacy Rule standards to remove barriers to disclosure of PHI for research, including authorizations for future research.
Outlook for Enforcement
Look for OCR to continue its HIPAA enforcement program by returning to its behind-the-scenes approach of resolving complaints and compliance reviews through voluntary compliance by covered entities and business associates.
At the mid-point of 2017, OCR was on pace to eclipse prior records for HIPAA enforcement actions. But in the last six months of the year, there was only a single resolution agreement.
The common denominator for many of the cases in which OCR conducts compliance reviews is that the covered entity or business associate suffered one or more breaches affecting more than 500 individuals sometime between 2013 and 2015. The compliance reviews often cite the CE or BA for failing to perform an information security risk assessment or to have a risk management plan to address gaps in the safeguards for information systems, both required actions under the HIPAA Security Rule.
Permanent HIPAA Audit Program
In 2016, OCR conducted desk audits of approximately 200 covered entities and business associates, measuring how organizations had adopted policies and performed processes on selected provisions of the HIPAA privacy, security and breach notification rules. The implementation of the desk audit program produced a big bang, but OCR was slow to produce the reports of its audit findings to organizations that responded to the audit.
OCR has canceled the comprehensive on-site audits it proposed. There is hope that a final report of the findings of the desk audits will be issued early in 2018. Look for the agency to retool and reboot the audit program for 2019, first by looking for a new contractor better able to handle the demands of examining HIPAA compliance.
This time next year, we can look back at 2018 as the year of OCR's bumpy ride through the changes wrought by the Trump administration.