We are a year into a new presidential administration, and yet it seems we are asking the same question that we were at this juncture last year: What will Health Insurance Portability and Accountability Act enforcement look like under the new administration? There have been several factors that cause us, a year later, to be asking the same question; whether it is the change of U.S. Department of Health & Human Services secretaries or the never-before-seen catastrophic natural disasters that occurred in Texas and Puerto Rico in 2017. Still another reason could be something much more plain: Perhaps we are waiting for something that will never come. Perhaps what we have seen in the last 12 months in HIPAA enforcement represents the new normal. One way to evaluate that hypothesis is the annual rite of budgeting and setting of legislative priorities.
Every fall, each of the executive branch agencies publishes their regulatory priorities for the coming year. Soon after those priorities are published, traditionally, the president presents to Congress a budget for the fiscal year. These documents are each tea leaves; methods by which industry participants can look forward to see what the future may hold for their industry. And so is the case in early 2018. Both the HHS as well as the president's budget give a clear directional sense for what HIPAA enforcement may look like in 2018 and the foreseeable future. And the name of that game appears to be "less is more."
In this space over the past several quarters, we have discussed the dramatic drop-off in HIPAA enforcement actions brought by the Office of Civil Rights. Between May 2017 and December 2017, there were a total of three OCR resolution agreements announced as a result of HIPAA violations. That compares to seven resolution agreements during the same time period in 2016. Of course, in the midst of writing this article, OCR has announced two enforcement actions in February 2018, nearly matching their total from the last seven months. Time will tell whether February was an aberration, or a sign that OCR now has its feet underneath it in this new administration and will return to the breakneck pace that it reached in 2016. Regardless, the last year of HIPAA enforcement has been slow, and appears commensurate with HHS' new less-is-more strategy when it comes to regulation.
HHS' 2018 Regulatory Priorities
HHS' Statement of Regulatory Priorities is unapologetic in its less-is-more approach to regulation. The introduction to the piece explains that HHS wants to "empower individuals and communities by reducing the burden of compliance" while also "streamlining its regulations." Those two touchstones, and a third -- "meaningful information sharing" -- are the central tenants of HHS' regulatory priorities for 2018. A note before we get too far into dissecting HHS' regulatory priorities is that those priorities cover a wide array of functions covered by HHS (e.g., the U.S. Food and Drug Administration), but this piece focuses on those priorities that may impact issues related to HIPAA and HIPAA enforcement.
As early as the middle of 2017, it was clear that this HHS had as a priority a method to develop greater information sharing among companies that are regulated by HHS. Only a few months into 2017, HHS had announced a new information sharing platform for responding to cyberattacks. Then, as we saw an unprecedented hurricane season wreak havoc, HHS' updates and releases related to those disasters again stressed the importance and need for information sharing in times of crisis. It is therefore of no surprise that among the first priorities set forth in HHS' regulatory priorities for 2018 is developing greater mechanisms and methods for facilitating information sharing, especially related to electronic data and records.
Most industry participants are in agreement that greater information sharing will enable HIPAA-covered entities and business associates to better treat individuals, respond to crises and conduct medical research. Yet, HIPAA has historically placed significant limits on the ability of covered entities to share information without the consent of the patient. Indeed, in this era of big data, one of the more prominent struggles has been with how electronic medical records providers and other cloud services can use HIPAA-protected information to deliver better service. Perhaps, if HHS blazes a new regulatory path to greater information sharing, some of the obstacles that have limited the use of protected health information will be lifted. Of course, doing so would require a delicate balancing act given the fundamental -- and congressionally endorsed -- desire for individuals' medical data to be secure and theirs to control except in limited circumstances.
Fitting with this administration's approach to regulation as a whole, it is unsurprising that nearly 25 percent of the regulatory priorities of HHS for 2018 relate to "minimizing duplication and burdensome requirements" and "eliminating outdated restrictions and obsolete regulations." HHS makes clear in its regulatory priorities that certain regulations that exist today will be gone tomorrow. Whether they are consolidated and parts of them kept, or whether they are swept away entirely, the regulatory priorities statement makes clear that industry participants should expect potentially sweeping rule changes as early as 2018.
Interestingly, HHS' regulatory priorities document does indicate that there will be a need for new regulations as well; to "clarify" issues that HHS believes are currently unclear in the regulatory framework. In HHS' words, however, "the rulemakings described above must be accompanied by serious efforts to decrease the burden of complying with federal regulations." For anyone looking to read tea leaves as to what that means for HIPAA enforcement action, the message would seem fairly clear: There will be fewer regulations, and fewer enforcement actions. And that could explain why 2017 was as quiet as it was with respect to HIPAA enforcement.
Another theme of HHS' regulatory priorities document is to "enhance regulatory flexibility so that its state and community partners are better able to tailor their programs to fit the needs of the people they serve." In the context of HIPAA, this is a particularly interesting priority.
In a time of cybersecurity where each state (almost) is developing their own cybersecurity and breach notification rules, there is still a general rule of federal preemption when it comes to HIPAA, with only a narrow exception for additional state laws and regulations that are in excess of the requirements of HIPAA. It is not inconceivable that in "streamlining" HIPAA regulations that HHS looks for ways to give the states more rights to legislate the security and use of medical information. That is a change, however, that most industry participants likely do not look forward to as it could replace what is currently a mostly uniform regulatory rubric with one that could look different from state to state. Many industry participants would consider that a step backward, and having the opposite effect of "reducing the burden of compliance."
It will be interesting to watch whether the desire to give more regulatory power to the states means that the orderly HIPAA regulations made by HHS will be abandoned in part in lieu of what could be regulations from each of the 50 states. Suffice to say, that would be big news in the HIPAA world.
President's Budget for HHS
The age-old saying is that "numbers don't lie." And in this case, the president's budget may provide us with the clearest signal that OCR, charged with enforcing violations of laws like HIPAA, is going to take a back seat in this administration to other priorities. In 2016 and 2017, OCR's budget had been $39 million, with 170-plus full-time equivalent employees. The 2018 budget cuts $6 million and 17 full-time equivalents. Again, the new approach seems to be less is more. And with a smaller budget and fewer staff, it would not be at all surprising to see HIPAA enforcement actions continue to drop during this administration as opposed to resume the breakneck pace that they had experienced in 2016.
Two other items of note in the president's 2018 budget with respect to HHS, and as stated in the "Budget in Brief" piece available on HHS' website: (1) HHS will be focused on addressing the opioid epidemic, and (2) will be subject to "large-scale reorganization, workforce restricting, and efficiency proposals."
What does all this mean? It likely means that HIPAA enforcement, which appeared to be a priority at the end of the last administration, is likely taking a back seat to HHS' work on the opioid epidemic. In fact, a glance at the budget for HHS reveals that while OCR is having its budget cut, other parts of HHS -- those responsible for, among other things response to the opioid epidemic and addressing issues related to mental health -- are getting increases in their budget. To the extent that the budget tells us anything, it tells us that HHS will have clear priorities related to mental health and addiction; issues that obviously implicate HIPAA, but do not relate directly to enforcement of HIPAA regulations. Given how the budget numbers have appeared, if there is going to be a "large-scale reorganization" of HHS, one would expect that it would involve a further cut to regulatory enforcement areas of HHS in order to focus on the more individual-centric parts of HHS, which get the lion's share of the HHS budget.
And so What?
For a year, we have asked what HIPAA enforcement will look like under this administration. Between the regulatory priorities of HHS and the president's budget, we may not have to ask that question much longer. It appears that regulatory enforcement is going to wane in its import, and there will likely be actions taken to both reduce the number of regulations and the number of "sheriffs" who police those regulations. Only time will tell whether those changes will be a good thing for the security and privacy of individual health information.
This article was first published in Law360.