While home on paternity leave taking care of my baby daughter, I’ve had a fair amount fo time to think about different issues, which means I think about HIPAA. The fact that my mind turns to HIPAA on my free time is probably the subject of a different post, but, for now, I am wondering what enforcement actions will look like under a new administration.
The previous eight years can briefly be summarized as a slow start that built to frequent and clear action. The early years of the Obama administration did not see much if any, HIPAA related action, which was essentially a continuation of what had occurred since passage of HIPAA in 1996. The Privacy and Security Rules were set and no consistent attempts were taken to ensure compliance. However, following passage of the HITECH Act, that changed and changed dramatically. A round of pilot audits occurred that shows widespread non-compliance, which was followed by an ever increasing number of settlements that targeted specific areas of non-compliance. The settlements continued right up to the last days of the Obama administration, with a couple being announced in the early days of January 2017. Additionally, a “permanent” audit program was launched in 2016, with a number of covered entities going through the process. No results have been revealed yet, but any information is sure to be interesting.
With that brief summary as background, what should the healthcare industry and those servicing the healthcare industry expect going forward? I suspect that at least a moderate continuation of recent years will occur. The settlements are a relatively easy way for the Office for Civil Rights to bring in money to fund various operations. The settlements are also a means to spot check compliance within the industry. However, the settlements could also be viewed as representative of the unfair or unnecessary regulatory burden imposed on the healthcare industry by the government. Given the Trump administration’s somewhat articulated preference to reduce the regulatory burden overall, maybe enforcement will fall back as a way of removing making operations easier. While that view may be appealing, it is likely a safer bet to view enforcement action as continuing.
A more difficult prediction is whether the Office for Civil Rights (and Office for the National Coordinator of Health IT) will continue to provide guidance on how to comply with HIPAA and the interaction between HIPAA and newer technology. For the past couple of years, OCR produced a number of guidance documents and statements to help explain common misunderstandings of HIPAA and its application. While none of the guidance broke new ground, it responded to calls from many players for statements on expectations. The guidance provided roadmaps for those new to the healthcare industry to follow and reaffirmed obligations. Some outstanding (and promised) guidance includes text messaging and social media. With at least a temporary ban on new regulations and other statements in place from the administration, it is uncertain when or if such guidance will be produced now. Hopefully, OCR will continue producing guidance, which in turn helps everyone connected to the healthcare industry comply with HIPAA better and more consistently.
There is no question that a lot of uncertainty exists at the moment as to the future for healthcare in all areas. Even if no clear picture can be provided with regard to enforcement or guidance, HIPAA remains the clear law of the land. It is a fairly well-settled area as well and there are many who can provide advice in meeting obligations. Organizations should not feel that an uncertain political climate enables regulatory obligations to slide. Such thinking could be dangerous and expose an organization to penalties down the road. From this perspective, parting advice is to keep asking questions, keep doing all that can be done to meet privacy and security obligations and act as though someone is looking over your shoulder asking questions.