In this space in April 2017, I wrote that “[t]wo months into the Trump administration, and at least externally, it would seem that the old saying that ‘the more things change, the more they stay the same’ is alive and well at the U.S. Department of Health and Human Services when it comes to the Health Insurance Portability and Accountability Act.” And at the time, that was correct, with HHS coming off one of its most active enforcement quarters ever with respect to HIPAA compliance. Five months later, however, HHS has announced only one additional compliance agreement, and has been quiet save responses to the WannaCry attack and Hurricanes Harvey, Irma and Maria. So now, eight months into the Trump administration, we are left to wonder, is this the new HHS? Responsive rather than proactive?
Unfortunately for companies in the health care sector, the resignation of HHS Secretary Price on Friday, Sept. 29, 2017, means that it may still be too early to tell. The direction of HHS may very well depend on who is appointed as the next secretary; something we may not know for some time. Then, once there is a new secretary, it may still take several months for the health care industry to discern what the HHS approach will be under the Trump administration. Nonetheless, this article examines HHS’ new, reactive approaches to HIPAA under Price in the event that it is reflective of how HHS will operate into the future. However, the author must acknowledge that this story is now very much incomplete given that there will soon be new leadership at HHS.
Where Did the Enforcement Actions Go?
The last year of the Obama administration’s HHS was marked by a dramatic increase in HIPAA enforcement actions, which routinely grabbed headlines for their record-setting penalties. Combined with a new HIPAA compliance audit targeting covered entities and business associates, HHS was on the come. HHS was beginning to be a regulator that was making noise and causing a shift in attitudes regarding HIPAA compliance in the health care industry. In 2016, there were 13 reported resolution agreements totaling nearly $25 million in penalties.
When the Trump administration took over in January 2017, as is common when any new administration takes over, the question was whether HHS would continue with its newfound aggressiveness. Obviously each new administration takes its time to find its own footing, and often the first several months of a new administration are spent with handling the leftovers from its predecessor. Perhaps then it should have not been such a surprise that HHS continued its breakneck enforcement pace through May 2017. In the first five months of 2017, HHS announced nine resolution agreements totaling nearly $18 million in penalties. By May 2017, HHS was poised to eclipse its record-setting year in 2015 with respect to resolution agreements and the imposition of fines. And then June 2017 hit. It has now been three full months since HHS announced a single compliance agreement. One has to go back almost three years, to December 2014 through April 2015, to locate a similar gap in HHS’ announcement of resolution agreements.
The question that many are asking is why has there been this precipitous drop off? Is it because bandwidth was reallocated to the ongoing HIPAA audit, where the on-site portion began in the first quarter of 2017? Or was it the attention of HHS and its secretary to the administrative and legislative machinations of the Affordable Care Act? Whatever the reason, it is indisputable that HHS has gone from announcing HIPAA resolution agreements at a breakneck pace to literally not announcing any.
We Want to Help, But Congress Is not Sure if We Should
May 2017 was a remarkable month for HHS. During May, HHS announced its last resolution agreement and the global health care industry suffered a ransomware attack. On May 12, 2017, WannaCry effectively shut down substantial portions of the health care services industry in the United Kingdom. The attack left many in the health care industry scrambling, looking to upgrade legacy operating systems and improve cybersecurity.
Announced before WannaCry, but taking center stage shortly after, HHS announced the formation of the Health Cybersecurity and Communications Integration Center (HCCIC). HCCIC, modeled off of the U. S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), was meant to offer a vehicle for health care services participants to share information regarding threat detection and cybersecurity attacks. While HCCIC was received with varying degrees of skepticism and promise by industry participants, it did not share that same greeting with legislators. Members of the Senate Homeland Security and Governmental Affairs Committee quickly decried HCCIC as creating unnecessary duplication and more government bureaucracy. As a result, what could have been a tangible accomplishment from HHS in the early months of the new administration has a murky future.
Remember, HIPAA Still Applies In Hurricanes
Other articles in this space have offered detailed analyses of HHS’ HIPAA bulletins related to Hurricanes Harvey, Irma and Maria. Therefore this article will not belabor the details of those bulletins other than to note some of the highlights. The bulletins stress that even in emergency situations, both HIPAA’s privacy rule and security rule remain in effect. This is especially important with respect to business continuity and disaster recovery planning and implementation of those plans. Hospitals and other medical facilities (makeshift or otherwise), often become an aggregator of great quantities of information during emergencies. The HHS bulletins emphasize the need to keep that data safe and secure while also serving as a disseminator of information regarding the status of individuals to their relatives.
Despite the continued effect of HIPAA’s privacy and security rules, the secretary of HHS has the power to — and did with respect to Harvey, Irma and Maria — exercise his authority “to waive sanctions and penalties against a covered hospital that does not comply” with certain HIPAA privacy rule provisions. Specifically, compliance with the distribution of privacy notices, permitting a patient to request confidential communications, request privacy restrictions, or to opt out of a facility director, and to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. Each of these waivers is critical in the provision of emergency health care services.
So, Is This the New HHS?
Almost certainly not. Although we caught a glimpse of HHS under Price, with new leadership, there may very well be a new direction for HHS. What we can say is that under Price, HHS was more reactionary than in the recent past. In response to WannaCry and to Hurricanes Harvey, Irma and Maria, HHS attempted to take steps that would benefit covered entities and business associates covered by HIPAA. HHS’ actions also served to ensure that patients continued to receive the medical treatment without delay or impediment. And yet, HHS has been eerily silent when it has come to enforcing HIPAA rules through enforcement actions. Stay tuned for when a new secretary of HHS is appointed.
This article was first published in Law360.