How Will New HHS Secretary Lead Security, Privacy Efforts?Sizing Up the Future of HIPAA, HITECH Regulations Under Price
When it comes to health data security and privacy issues, industry experts aren't sure what to expect from Tom Price, M.D., the long-time congressman who was confirmed by the Senate Feb. 10 as the new secretary of the Department of Health and Human Services.
It's clear that a goal of the Trump administration is to reduce regulations. The president recently issued an executive order requiring two regulations to be identified for elimination for every new regulation issued by an executive branch department or agency.
What's not clear is where Price stands on enforcing or modifying the HITECH Act or the HIPAA privacy, security and breach notification rules.
"There has been bipartisan support for the HIPAA and HITECH standards," says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "Secretary Price comes into office with a reputation of opposing government regulatory activity, which impacts the day-to-day relationship between physicians and patients. We will all be watching for indications of how he views the HIPAA privacy and security rules."
Easing Physician Burdens?
During his time in the U.S. House of Representatives, Price repeatedly introduced legislation to repeal the Affordable Care Act, or Obamacare. He also was an advocate of easing timeline requirements for healthcare providers participating in the HITECH Act "meaningful use" financial incentive program for electronic health records. Under the program, participating healthcare entities must, for example, attest in each reporting period to conducting a security risk assessment of EHR data.
"Price is a physician who has complained of the huge burden of current regulations, so I imagine that he may not be a big fan of HIPAA. Many physicians are not," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "However, I don't think his personal views on the law will necessarily lead to a significant change in enforcement."
In a statement, the Healthcare Information and Management Systems Society, notes: "HIMSS looks forward to working with Secretary Price to ensure we realize the full value of health IT in ensuring interoperability, improving care, increasing access and driving better health outcomes to patients. HIMSS also recognizes the potential to explore the broadening of technology's impact through expanded use of telehealth, increased cybersecurity preparedness, and implementation of 21st Century Cures [Act]."
As HHS secretary, Price is also responsible for appointing a new director for the Office for Civil Rights - which oversees HIPAA enforcement - and a new leader for the Office of the National Coordinator for Health IT, which administers policy and standards related to EHRs and health data exchange. Those Price chooses to lead OCR and ONC will influence privacy and security regulatory activity.
Over the last two years, HIPAA enforcement activities had ramped up significantly under the leadership of OCR Director Jocelyn Samuels, who was appointed by Obama's HHS secretary, Sylvia Mathews Burwell. That includes a record number of HIPAA settlements - 12 - plus one civil monetary penalty issued in 2016, as well as the rollout of the often-delayed phase two of HIPAA compliance audits.
Last year, OCR conducted desk audits of about 200 covered entities and business associates, and the office announced plans to conduct an unspecified number of more comprehensive on-site audits during the first quarter of 2017.
OCR did not immediately respond to an Information Security Media Group inquiry about the status of the agency's on-site audit plans.
Some healthcare CISOs worry that any easing of HITECH or HIPAA privacy or security provisions - or a slowdown of HIPAA enforcement activities - could end up hurting progress that's been made over the last few years in bolstering health data protection.
"Regardless of your political leaning, the impact - good or bad - a president can have on cybersecurity is not always evident," says Dave Summitt, CISO and director of cybersecurity operations of Florida-based Moffitt Cancer Center. "I do believe President Trump will be good for the overall cybersecurity effort. However, the unintended negative impact will occur in the consequences of reducing regulations and/or regulatory enforcement."
Too many healthcare organizations are "performing 'compliance' security," Summitt says. "This is security for the wrong reason - and if they realize ... regulation has been eased, their focus of maintaining their security will be moved. Security will suffer."
Summit says he fears that would lead to even more health data breaches.
If HITECH Act "meaningful use" security requirements get scaled back, Summit says, "I fear security will take a back seat and risks will be increased. If this happens, 'meaningful use' will become 'meaningless use.' Healthcare security professionals have had an uphill battle for several years in helping boards and leaders understand cyber risks, and we've come a long way. I believe this would slow the progress."
Some privacy and security experts have a wish list of items they hope HHS will address under Price's leadership.
"For cybersecurity initiatives, I would like to see Secretary Price focus on how to make it easier for healthcare entities to put in place strong cybersecurity measures," Greene says. "Most small healthcare providers do not even know where to start to address cybersecurity threats, and they really need an easily understandable and cost-effective recipe for shoring up their defenses." p>
Greene says he'd also like to see Price review the new final rule amending 42 C.F.R. Part 2 regulations related to the privacy of substance abuse treatment records (see Impact of New Privacy Rules for Substance Abuse Patients).
Those amendments include some positive changes to enable patients to provide consent for the sharing of their records through health information exchange, Greene says. But the provisions also set up some new obstacles to information sharing, such as requiring that patients specifically name the individual at an entity with whom data can be shared - which isn't always practical, Greene contends.
Holtzman hopes Price will be open to updating HIPAA. "The HIPAA Security Rule is terribly outdated and ill-equipped to support the threats and vulnerabilities of today's healthcare technology, much less tomorrow's innovations," he says. "The rule was developed to address the information demands of a bygone era. The secretary should consider taking a 'moonshot' approach to bringing health information security standards into the 21st century."
Meanwhile, Summit would like to see HHS and other regulators take steps to help ensure data security as the internet of things continues to grow.
"Regulation in this arena is already lacking," he says. "And if the ... development and manufacturing of these devices does not fall under some type of security requirements, then IoT cyberattacks will become much greater and have an even greater impact on people than they do now."