New HHS Secretary Alex Azar: Will He Shake Up Priorities?Regulatory Experts Size Up What's Ahead
The newly confirmed secretary of the Department of Health and Human Services, Alex Azar, has the potential to reset critical national healthcare priorities and policies, including those related to security and privacy. But what action will he take regarding HIPAA enforcement and other related issues?
Azar, a former Eli Lilly executive who also previously served as HHS deputy secretary and general counsel during the George W. Bush administration, was confirmed by the Senate on Wednesday by a 55 to 43 vote that included only a handful of Democrats voting in favor of his nomination.
"The secretary sets departmental priorities - so Alex Azar will have an enormous impact on the priorities of the Office for Civil Rights and Office of the National Coordinator for Health IT, potentially more so than for other parts of HHS, because OCR and ONC are both actually part of the Office of the Secretary," says privacy attorney Deven McGraw. Formerly the deputy director of health information privacy at OCR, which enforces HIPAA, McGraw now serves as regulatory officer at the start-up technology firm Citizen.
Azar succeeds President Trump's first HHS secretary, Tom Price, M.D., a former Congressman from Georgia, who resigned from the administration last year amid controversy over his use of taxpayer funds for government travel using chartered private planes.
In written testimony during his Senate Health, Education, Labor, and Pensions Committee confirmation hearings on Nov. 29, Azar noted his top four priorities for HHS, but none directly involve health IT, healthcare sector cybersecurity or health data privacy and security matters.
"With a department the size and scope of HHS, it can be difficult to prioritize. Nonetheless, should I be confirmed, I do envision focusing my personal efforts in four critical areas," Azar said in his written testimony.
Those priorities, he testified, include addressing high drug prices; making healthcare "more affordable and more available"; harnessing "the power of Medicare" to shift the focus in the nation's healthcare system from fee-based services to outcome-based payment; and tackling "the scourge of the opioid epidemic that is destroying so many individuals, families, and communities."
But McGraw hopes Azar's priorities stretch beyond those that he mentioned during his Senate testimony. "I hope that Secretary Azar will continue to prioritize the right of individuals to access their health information - not just to enforce the HIPAA right already on the books - although that is critical - but to take steps to enable patients to truly have an equal seat at the healthcare table through seamless digital data access," she says. "I am seeing and hearing things that are demonstrating the administration is committed to this, and I think that will be critical for patients and a game-changer for healthcare."
But will the new HHS secretary have an impact on HIPAA enforcement?
Since the Trump administration took office a year ago, HIPAA enforcement actions have dramatically slowed down by comparison to the two previous years.
OCR had been issuing settlements in HIPAA cases on almost a monthly basis in 2016 through early 2017. But since May 2017, OCR has issued only two enforcement actions, including a $2.3 million HIPAA settlement in late 2017 with bankrupt cancer care clinic chain, 21st Century Oncology.
OCR officials, however, have contended that the apparent slowdown in settlements is due mainly to the new OCR director, Roger Severino, settling in and not due to a de-emphasis on enforcing HIPAA.
"Without a doubt, the secretary has the power to reset the priorities of OCR if he chooses to - such as by paring back or ramping up enforcement, focusing enforcement on particular aspects of the HIPAA Rules, etc.," McGraw says. "But I don't think we have any indication that Secretary Azar would make any changes to OCR's current priorities and programs."
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek and a former senior adviser at OCR, offers a similar assessment.
"The impact that a secretary of Health and Human Services to influence the direction or prioritization of policy on issues like health IT, health information privacy and security or medical device cybersecurity is huge," he says. "There was limited inquiry of Azar's views on these issues through the confirmation process in the Senate other than speaking of using health IT as a tool to achieve goals of value-based health care. We will have to wait to learn how Secretary Azur sees the department's role and direction in health IT and cybersecurity.
Holtzman says he'll be watching for how Azar's views on health IT and cybersecurity develop and if he will elevate these issues within the administration. "Will HHS under Azar be allowed to pursue an agenda that has the department leading the charge on addressing issues like cybersecurity, health IT and privacy? My hope is that the appointment of Secretary Azar signals a new engagement by the Trump administration to take a leadership role to fight ransomware or use its regulatory muscle to bring interoperability to the electronic health records products as well as using its current authority to ensure that the privacy rights of individuals under the HIPAA rules are protected."
Holtzman, however, doubts Azar will have a much direct impact on OCR's activities.
"In my experience, the secretary does not take a direct role in the direction of enforcement of the HIPAA rules. Their influence is more broadly applied through influencing the direction of policy in ... revising regulations and [developing] policy guidance. ... The HHS secretary plays a key role in the development and spending of the department's budget, which can be used to further their policy goals. Key here will be to watch how OCR uses the funds it has collected through levying HIPAA fines and penalties for additional resources to support its enforcement activities."