As federal policy rapidly develops under the Trump Administration, much of it reversing or seeking to reverse the Obama legacy, the world of medical privacy (at least that which is on the books for now) remains static – after all, privacy always has been a bipartisan issue.
Right? Not so fast . . . Trump signed into law a Joint Resolution that nixes FCC Internet Privacy Rules.
Despite the partisan pro-business move on Monday night, medical privacy appears to be flying under the Trump radar. But, as we address below, could storms be brewing? Depends on which cloud you look at.
Last week, we heard directly from the country’s new #1 medical privacy enforcer, Roger Severino, recently appointed as the new Director of the Office for Civil Rights Director (OCR) at HHS. He briefly addressed stakeholders at the 26th National HIPAA Summit. In his brief remarks, he laid out his approach in broad strokes, drawing upon personal experiences with identity theft, focusing on the importance of ensuring that health information is safe and secure, and that individuals have confidence in the system. He did, however, balance those statements by assuring stakeholders that OCR would also consider the interests of regulated industry, consider feedback to make the agency’s work efficient, and “eliminate burden where we can . . . for regulated industry.”
His approach is consistent with Trump’s pro-business and efficient government policy, but he provided no detail on specific changes or developments regarding HIPAA policy. Other OCR officials, however, discussed specifically developing the following rulemaking and guidance documents:
- Finalizing an Accounting of Disclosures Rule, as required by the HITECH Act;
- Guidance on the “Minimum Necessary” requirement;
- Updates to outdated guidance on its website; and
- Implementing requirements of the 21st Century Cures Act:
- Participate in a working group to make recommendations to HHS on “whether the uses and disclosures of Protected Health Information [(PHI)] for research purposes should be modified to allow [PHI] to be available, as appropriate, for research purposes, including studies to obtain generalizable knowledge, while protecting individuals’ privacy rights;”
- Within one year, HHS is required to issue guidance on authorization for use and disclosure of health information for research; and
- Provide guidance to health care providers, patients, families, and others, on appropriate uses and disclosures of PHI of those involved in mental health or substance use disorder treatment.
Notwithstanding the above promises, the following factors will ultimately influence rulemaking, guidance and policy, and regulatory enforcement by OCR:
- Trump Administration regulatory hurdles – e.g., the regulatory freeze (Memorandum for the Heads of Executive Departments and Agencies), and Executive Order on Reducing Regulation and Controlling Regulatory Costs (EO). The OCR officials at the HIPAA Summit neglected to mention how the agency intends to issue rules or guidance during a regulatory freeze, or whether they plan on eliminating two rules for every rule that is introduced (a Trump Administration requirement under the EO).
- Director Severino will set policy at OCR, including its enforcement policy, and determine priority for any forthcoming policy in the agency’s policy pipeline. It remains somewhat unclear how much enforcement will be a priority for him. Director Severino recently served as Director of the DeVos Center for Religion and Civil Society in the Institute for Family, Community, and Opportunity at the Heritage Foundation. Before joining the Heritage Foundation in 2015, he was a trial attorney for seven years in the Department of Justice’s (DOJ) Civil Rights Division where he litigated cases involving sex, race, national origin, religion, disability, and familial status discrimination. Accordingly, Director Severino’s background appears more aligned for OCR’s enforcement of federal civil rights laws, as opposed to HIPAA privacy and security. Regardless, during his address to stakeholders at the HIPAA Summit, Director Severino suggested that he would rely heavily on OCR staff. He specifically acknowledged that he has already learned much from Deven McGraw, OCR’s Deputy Director of Health Information Privacy.
- OCR’s budget currently has funds to adequately enforce HIPAA (it has issued four Resolution Agreements this year and its Phase II Audit Program for Covered Entities and Business Associates is working toward completion). Regardless, funding has always been an issue for OCR, and if the agency’s budget is reduced, its Audit program and any new or revised guidances may be casualties.
- Nevertheless, it is possible that at least certain deficits in budget may be overcome through amounts received by the agency through enforcement, e.g., Resolution Agreements (including significant Corrective Action Plans), and Civil Monetary Penalties.
- Congress has a big influence when it comes to HIPAA given that much of OCR’s current regulatory framework stems directly from the 1996 law and, more specifically now, from the 2009 HITECH Act. Although it appears that Director Severino is amenable to receiving feedback and reducing burden, where possible, for Covered Entities and Business Associates, it remains that HIPAA draws broad bipartisan support across the federal legislature. However, as we highlighted at the beginning of this post, given this week’s new resolution negating the implementation of FCC’s Internet Privacy Rules, it bears emphasizing that Congress can be inconsistent or unpredictable.
Based on the forgoing, particularly Congress’s move against Obama’s FCC paradigm, the future of HIPAA is less certain than it was just a few months ago. To be clear, we have no specific reason to believe that fundamental changes are coming and, given all of the foregoing factors, we’re not putting all our eggs in any one Easter basket. But we never stop paying very close attention – particularly with this Administration.
So, stay tuned with us.