Editors’ Note: This is the first of a multi-part end-of-year series examining important trends in data privacy and cybersecurity during the coming year. Up next: the emerging threat landscape.
Like many things in Washington, the HIPAA landscape in 2018 will be shaped by the shifting priorities of President Trump’s new administration. Early signs point to less funding for the Office of Civil Rights (“OCR”) within the Department of Health and Human Services, which is responsible for enforcing HIPAA. This is likely to lead to fewer enforcement actions, but not necessarily less aggressive enforcement within those actions, as enforcement settlement is set to become an increasingly important part of OCR’s budget. On the state level, the work OCR is unable to do may be taken up by state attorneys general eager to protect the privacy concerns of their constituents and contrast themselves with the Trump administration.
A Leaner (and Meaner?) OCR
OCR’s annual Congressional Justification for FY2018 envisions a $6.194 million budget reduction, with the lion’s share ($5.334 million) coming from its current budget for regional enforcement operations. This does not necessarily portend a large drop in HIPAA enforcement, as OCR proposes to “increase use of funds from monetary settlements via OCR’s HIPAA enforcement activities to cover other items related to health information privacy (HIP) enforcement activities.” At the same time, OCR envisions continuing to shift its work from “routine investigations” to “larger, more complex work that impacts a broader audience.”
The Congressional Justification points to fewer, but larger enforcement actions in which OCR will be seeking not only practice changes but also sizeable fines (on which OCR will increasingly come to depend to fund itself). As compared with last year’s Congressional Justification, it also points to more modest ambitions. Last year, I noted that OCR had expressed high hopes for addressing a wide variety of topics – big data, internet-of-things issues, and cloud computing – even as OCR acknowledged that some issues would be beyond HIPAA’s purview and OCR’s ability to regulate. None of these issues appears in this year’s Congressional Justification, which is a shame. While of course no entity is clamoring to be regulated by OCR, some developments in these rapidly-changing spaces could benefit from regulatory guidance, if only to provide certainty for the years ahead.
A New Director Seeking A “Big, Juicy, Egregious” Breach Case
OCR’s new director, Roger Severino, is beginning to lead an agency with more modest ambitions, but when it comes to enforcement, Severino’s ambitions are anything but modest. Speaking at a conference earlier in the year, Severino said his top priority in the coming years is a “big, juicy, egregious” breach case to set the tone for OCR enforcement in the Trump era. Severino declined to give more specific detail – “I haven’t zoomed in on a particular area, whether it will be cybersecurity, ransomware, physical security, etc.” – though he added that he would “have to balance that law enforcement instinct with the educational component that we do.”
Severino does not have a HIPAA background, but he certainly has law enforcement experience, having worked for seven years as a trial attorney in the Civil Rights Division of the Department of Justice. Severino says he has “gotten up to speed on HIPAA” in his first few months on the job.
Possible New Guidance on Fees for Medical Records
The Congressional Justification notes that this year’s House Appropriations Committee Report contained substantial concern, especially from businesses, about OCR’s February 2016 guidance regarding patients’ access to their medical records and, particularly, fees for such access. The guidance sets out methods by which a HIPAA covered entity may calculate a “reasonable, cost based fee” to be charged. The guidance has caused concern and confusion since its posting, resulting in subsequent FAQs and clarification from OCR, but also continued uncertainty for covered entities. Covered entities face a patchwork of state laws regarding medical records fees in addition to OCR’s guidance. The House Report criticized OCR’s “restrictive calculation scheme” as imposing additional compliance costs, and charged that the guidance created confusion as to how OCR’s requirements apply to requests from commercial entities.
In response, OCR stated that the guidance was the result of “many complaints it had received from individuals over the years about some covered entities and release of information (ROI) vendors charging fees in excess of what [HIPAA] allows.” OCR stated it was “open to working further with Congress and other stakeholders” to address the issues raised by the guidance. With a Congress that is likely to remain sympathetic to the interests of businesses attempting to comply with HIPAA, it is possible that in the coming year we will see additional clarification from OCR designed to allay business concerns.
Enthusiasm from State AGs
Many state AGs in the age of Trump have either promised, or already begun, to take up enforcement activities that they anticipate will be under-pursued at the federal level. As OCR continues to move away from “routine” HIPAA enforcement, we can anticipate more aggressive enforcement from state AGs under state privacy laws. Especially as privacy issues in general – not only health information – continue to loom large in the public imagination, state AGs are likely to use the tools available to them on behalf of citizens.