Is HIPAA Enforcement Winding Down?Experts Analyze the Trump Administration's Enforcement Activity and What's Ahead
Are federal regulators beginning to slack off on HIPAA compliance enforcement?
While some regulatory experts say the lack of recent settlement announcements could signal the start of a lasting trend, others contend that the Department of Health and Human Services remains committed to aggressive HIPAA enforcement and could ramp up its activity as it hires more staff.
In 2016 - at the height of HIPAA enforcement activity by HHS, its Office for Civil Rights announced 13 enforcement actions, collecting a record $23.5 million in settlements and fines.
In 2017, HHS issued 10 enforcement actions involving resolutions agreements and settlements, totaling $19.4 million. But the agency disclosed nine of those settlements in the first five months of last year, including two settlements announced in January, while the Obama administration was still in office.
Only one 2017 HIPAA enforcement action - a $2.3 million settlement in December with bankrupt Florida-based healthcare provider, 21st Century Oncology - was announced in the second half of 2017.
Since then, HHS has announced only three other HIPAA enforcement actions involving University of Texas MD Anderson Cancer Center, Massachusetts-based Fresenius Medical Care North America and the now-defunct Illinois-based medical records storage vendor FileFax.
OCR HIPAA Enforcement Actions So Far in 2018
|Breached Entity||Enforcement Action||Amount|
|University of Texas MD Anderson Cancer Center||Civil Monetary Penalty||$4.3 million|
|Fresenius Medical Care North America||Settlement||$3.5 million|
All of the HIPAA enforcement cases in 2017 and so far in 2018 have involved health data breaches or HIPAA complaint investigations dating back to the Obama administration era.
Because these investigations can take years, it's not surprising or unusual that the nearly dozen HIPAA enforcement actions taken so far during the Trump administration involved investigations into cases that started during the previous administration.
The question now is whether OCR, under the Trump administration, has a similarly heavy pipeline of ongoing HIPAA investigations that will lead to compliance enforcement actions in the months and years to come. While some regulatory experts don't expect a resurgence of enforcement activity, others say the current lull is temporary.
Staying the Course?
Privacy attorney Iliana Peters, who joined law firm Polsinelli earlier this year after serving more than a decade as a senior adviser at OCR, claims the agency is not shifting away from its HIPAA enforcement focus.
"I do not think that the fact that HHS OCR has had fewer public announcements of HIPAA settlement or civil money penalty cases indicates any change in the priorities of OCR under either Director Roger Severino's leadership, or under the leadership of HHS Secretary Alex Azar or others in the current administration," she says.
"Data privacy and security, particularly concerning sensitive information like health information, are bipartisan issues, the importance of which everyone recognizes. It's true that settlement and civil money penalty cases take not only more time to investigate, but also more resources, in terms of staff, counsel, and leadership involvement. OCR takes seriously its responsibility to move forward to potential litigation in cases that will improve protections for individuals' health information and that will help the healthcare industry understand its responsibilities to protect such information."
OCR's case load has increased significantly, given the number of breaches reported to it affecting 500 or more individuals that it must investigate, Peters points out. "So potential cases for this type of enforcement are, in fact, increasing, and not decreasing."
The fact that OCR recently announced a civil money penalty win against MD Anderson "hits the point that OCR is serious about HIPAA enforcement," she adds.
Some other privacy and security experts, however, contend that the recent slowdown in enforcement cases could be signaling a shift in priorities at HHS.
"In my opinion, the return to the aggressive OCR enforcement we saw in past years will be in 2021," says privacy attorney David Holtzman, vice president of compliance at security consultancy Cynergistek, referring to the period after the next presidential election.
Severino, the OCR director, has repeatedly voiced a commitment to enforce HIPAA, including in comments at the HIMSS18 conference in February. But Holtzman and some other observers remain skeptical, given the Trump administration's emphasis on deregulation.
Assessing OCR enforcement activity is a tale of two distinct operations, says Holtzman, who formerly worked at OCR.
"Data from OCR suggests that there has not been a discernible slowdown in the investigations conducted by the regional offices of complaints brought by individuals and the compliance reviews of large breaches which are taking place at substantially the same pace and volume," he says. "But the OCR director and his management team in Washington make the final decision on whether to pursue fines and penalties on cases where the investigation by the regional office has determined that the covered entity or business associate has committed a serious, systemic violation of the HIPAA rules."
What's the Impact?
If HHS does, indeed, pare back on its HIPAA enforcement activities, will covered entities and business associates get lazy in their HIPAA compliance programs - as well as their broader health data security efforts?
"Regardless of whether or not HHS intentionally eases up on enforcement, CEs and BAs who are not fully on board with strong privacy and security controls may infer this is the case," says Kate Borten, president of privacy and security consultancy The Marblehead Group. As a result, they may reduce their efforts to strengthen their privacy and security programs, she contends.
"CEs and BAs always face competing priorities, and this appearance of lax enforcement may tip the scales," she contends.
But Holtzman notes that while enforcement may be waning at the federal level, the states appear to be picking up the slack.
"There has been a marked uptick in states adopting new standards for data protection standards and breach reporting," he says. "Many of these new laws require organizations to protect health information that would not be protected by HIPAA and enforce these requirements on data about that state's residents when held by any entity, anywhere. A number of state attorneys general are bringing enforcement actions under HIPAA and state law requirements to protect consumer information from unauthorized disclosure."
Privacy attorney Stephen Wu of the Silicon Valley Law Firm says that a number of factors could be contributing to the apparent recent slowdown in HIPAA enforcement activities at OCR.
"There's a less heavy regulatory emphasis in the Trump administration as a matter of political position. And it's also taking longer than most administrations for the Trump administration to staff up," he notes, including filling open positions at OCR.
Privacy attorney Kirk Nahra of the law firm Wiley Rein, however, cautions against trying to read too much into a snapshot of enforcement activity.
"While I personally do not think the dollar volume of fines is a useful measurement of the amount of enforcement - 10 small enforcement matters may be 'more' enforcement than one large fine - we have seen some drop-off in enforcement," he notes. "I suspect this is largely an issue of staff changes and ongoing transition, but there may be some other elements involved, as well."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says there's often a lag with enforcement activity as new administrations settle in.
"We typically see less enforcement in the beginning of an OCR political appointee's tenure, and more toward the end of the tenure," Greene says. Compounding this, he notes, "we have seen significant turnover within OCR recently, including at the lead enforcement position, which may also be more responsible for the apparent slowdown in enforcement than a change in direction. Based on these factors, I do expect enforcement to pick up some more later this year or next year."
Among top ranking leadership to leave OCR in the last year was long-time privacy advocate Deven McGraw, who joined the agency in 2015 as deputy director of health information privacy.
In addition, the February departure of Peters, a long-time OCR senior adviser for HIPAA compliance and enforcement who was named OCR acting deputy director of health information privacy after McGraw left last fall, also had a big impact, some observers say.
Since taking office, the Trump administration has also sought to cut OCR's budget. But despite the White House's request for deep budget cuts in fiscal 2018, Congress in March passed and President Trump signed into law flat funding of nearly $38.8 million for the agency in the current fiscal year.
The administration has proposed a 16 percent cut in OCR's budget for fiscal 2019.
Nonetheless, Peters says she's also hopeful that OCR will eventually resume the work it started in 2015 and 2016 to advance its HIPAA compliance audit program, which is now in limbo.
"Given that the requirement for OCR to undertake periodic audits is in the HITECH Act, I believe that the audit program will continue in some form or fashion into the future, although that form will depend on the resources available to OCR for such a program."
HHS OCR did not immediately respond to an Information Security Media Group request for comment on the agency's latest enforcement trends or plans.