HIPAA/HITECH , Privacy , Standards, Regulations & Compliance
Trump's Impact on Health Data Privacy, SecurityExperts Weigh In on Short-Term, Long-Term Implications of Election
The transition to a Donald Trump administration likely won't have a significant immediate impact on HIPAA enforcement or other healthcare privacy and security regulatory activity - but it could over the long haul. That's the consensus of CISOs, CIOs and other privacy and security experts who offered reactions to Trump's surprise victory in the Nov. 8 election.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The Department of Health and Human Services' Office for Civil Rights' enforcement activities will continue because "decisions concerning the enforcement of the HIPAA rules are made by career staff that will be unaffected by the change in administration," says attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.
"The [HIPAA] audit program is a congressional mandate that arose from the HITECH Act," notes Holtzman, who formerly worked at OCR. "According to HHS' Office for Civil Rights, they plan on funding the audit program using some of the $27 million collected from fines and penalties to resolve HIPAA violations."
Longer term, however, the policy direction of OCR could be dependent on the approach of the incoming OCR director, he acknowledges. "If past transitions serve as a guide, the appointment of OCR director takes place several months into the new administration," he says.
John Houston, CISO and chief privacy officer of the University of Pittsburgh Medical Center, also doesn't anticipate any major change in HIPAA enforcement under the new administration. "I suspect that it would distract from more important regulatory reform that the Trump administration wants to make," he says.
Another former OCR staffer, privacy attorney Adam Greene of the law firm Davis Wright Tremaine, notes: "HIPAA is a relatively bipartisan area - the Bush administration did not scrap the privacy regulations, as many expected it would, and Congressional calls for greater enforcement have come from both sides of the aisle."
Other experts also predict that OCR's ongoing HIPAA compliance audit program will not be affected by the election.
"Frankly, I do not see much change in this regulatory area," says Bob Chaput, CEO of the security consultancy Clearwater Compliance. "OCR's efforts ... in no way reach all the organizations and compliance issues that exist. And OCR's budget is so small that it likely won't be "on the radar screen" for potential cuts, he argues.
"Most importantly, respectable healthcare leaders attend to compliance and cybersecurity as a business risk management issue and a competitive advantage opportunity, not as a regulatory compliance issue," Chaput adds.
Greene, however, predicts a lull in HIPAA enforcement and guidance during the changeover of administrations as new political appointees come in at HHS.
"But I expect the general direction to then resume," he says. "HIPAA and the HITECH Act are sometimes lumped together with Obamacare, but they are pretty separate, and whatever happens with the Affordable Care Act is unlikely to affect HIPAA. That being said, when has any prediction about this election proven accurate? We will need to wait and see what political appointments are made."
Privacy attorney Kirk Nahra of the law firm Wiley Rein says much uncertainty remains about Trump's position on some critical healthcare data security issues. "We generally have very little idea of how he will approach most privacy and data security issues, beyond the barest of general principles," he says.
"I would expect a significant focus on cybersecurity issues, given the concentration on foreign power attacks. I would expect the balance to tilt strongly toward the government's efforts to monitor citizen activity. I think the impact on HIPAA enforcement will be limited, since this isn't generally an area that is at the broad level of where attention is being paid at this point. I would not expect new resources here, and there could easily be cuts, which might mean less enforcement."
Joy Pritts, former chief privacy officer at HHS's Office of the National Coordinator for Health, which oversees policies and standards of the HITECH Act financial incentive program for electronic health records, says advancing health IT "has always had bipartisan support, and I would expect such support to continue under a Trump administration."
Health IT "will be crucial to implementing some of the public policy priorities in the Republican Party platform, such as increasing home care for the elderly," she notes. "The platform also makes clear that while the Republicans applaud advances in health IT, they continue to support patient privacy and ownership of their personal health information. The wild card in all this, of course, is whether - and to what extent - the Trump administration will follow the party platform."
Congress has been pushing for interoperability of records systems and secure health information exchange, but that's easier said than done, Houston notes.
"If they were to focus on one thing, it would be to develop rational rules around the electronic sharing of sensitive information," Houston says. "This is by far the biggest IT challenge that confronts improving the quality and efficiency of health care, while reducing cost."
The Same Priorities?
John Halamka, CIO at Beth Israel Deaconess HealthCare, a Boston-area integrated healthcare delivery network, says he expects federal priorities around healthcare IT-related programs to continue under the Trump administration.
"Today, in my interactions with existing career government officials who will be present in the next administration, I have been told that payment reform and healthcare IT innovation have bipartisan support," he says.
Trump has not spoken directly on issues concerning healthcare IT or health information privacy, Holtzman notes. "It will be left to the yet-to-be appointed HHS secretary and his health policy team to set e-health policy and other issues like meaningful use, the new MACRA [payment] programs, and approaches to cybersecurity and threat sharing programs," Holtzman says.
An issue likely to come up in the upcoming lame duck session of Congress is consideration of the 21st Century Cures legislation, he adds. "The bill that passed in the House earlier this year included significant changes to the HIPAA Privacy Rule that would allow healthcare providers and health plans to share patient's protected health information with pharmaceutical and medical device [firms] as a permitted disclosure under healthcare operations, and without the patient's authorization."
Healthcare Sector Cybersecurity
Because cyberattacks are increasingly targeting the healthcare sector, some experts hope the Trump administration will take action to bolster overall cybersecurity protection. "I would hope that any changes/improvements in cybersecurity should be in the context of a general program to improve cybersecurity across industry sectors," Houston, the CISO, says.
"By doing so, healthcare would likely best benefit. And, in the context of information sharing, an industry-agnostic information sharing program would produce the greatest benefit. Honestly, until the nation can figure out a way to generally improve the state of cybersecurity, no one sector can improve substantively in a vacuum. Cybercrime has reached near catastrophic levels, and our nation needs to take radical steps. However, much of this must take place at the infrastructure level first."
Chaput, the consultant, offers a similar perspective. "To the extent that Trump does indeed see cybersecurity as a key component of national security, I would expect his advisers and Congress will continue to encourage the important work underway in this area," he says. "Of course, threat information sharing is simply one component of a much broader security architecture."