[BreachExchange] HIPAA Enforcement Expectations and Updates for 2019

[Audrey McNeil]

https://www.jdsupra.com/legalnews/hipaa-enforcement-expectations-and-35029/

Summing up the results of the previous year, regulatory experts have noted
that more than half of the businesses punished for HIPAA lapses in 2018
involved well-known big business entities making it a notable theme of the
year. While some experts say that regulators may be relaxing the
enforcement of the regulation, others remain confident that the Department
of Health and Human Services (HHS) will be committed to a robust HIPAA
enforcement in 2019.

To make predictions for the new year, experts are looking at the
enforcement trends in the past few years, and 2018 in particular. On the
one hand, the number of entities punished in 2018 looks less impressive
compared to 2016, when the HHS’s Office of Civil Rights (OCR) announced 13
enforcement actions, collecting a record $23.5 million in settlements and
fines. On the other hand, although year 2018 saw only 10 enforcement
actions, the total payouts reached $25.7 million including the standout
record-smashing $16 million settlement with Anthem, Inc. for data breach
involving 79 million people. While the HHS OCR supports deregulation by
Trump’s administration, experts are skeptical that OCR enforcement will
slow down in the new year.  As was announced by the OCR Director Roger
Severino in October 2018 at the 11th annual HIPAA conference by the
National Institute of Standards and Technology, his statement made one year
earlier that OCR was looking for “big, juicy, egregious” cases, allowed the
federal agency to collect $45M in penalties in the period between January
2017 and October 2018. According to some experts, the 2018 enforcements
targeting deep-pocketed healthcare entities confirmed the agency’s desire
for big settlements. Others believe that sanctions against high-profile
entities could be a mere coincidence and the tendency in 2018 showed that
OCR’s enforcement strategies are changing. One thing is clear, some changes
to HIPAA requirements are on the way. According to Severino, OCR is
currently seeking to eliminate certain regulatory requirements that
obstruct the provision of healthcare, and the agency is working hard to
eliminate the burdens to allow providers to concentrate on patient
treatment.

In mid-December of 2018, the HHS OCR requested public comments on potential
changes to HIPAA regulations. The Request for Information (RFI) seeks
public input on improving care coordination and reducing the regulatory
burden. The effort is to get input from providers, patients and industry
professionals on how to improve some of the administrative aspects of
HIPAA. The main focus of the RFI is on HIPAA privacy rule which could be
modified to promote coordinated, value-based healthcare by promoting
information sharing for adults in healthcare emergencies. The OCR is
concerned that current regulation “impedes the transformation to
value-based health care, and limits or discourages coordinated care”
without enhancing patient privacy. The agency is considering to require the
sharing of protected health information (PHI) among health care providers,
not simply allow it. Such mandatory, rather than permissive PHI sharing
could potentially improve coordination of care, improve the value-based
care of mental disorders and promote the fight against the opioid crisis.
“We are looking for candid feedback about how the existing HIPAA
regulations are working in the real world and how we can improve them,”
said Severino. “We are committed to pursuing changes needed to improve
quality of care and eliminate the undue burdens on covered entities while
maintaining robust privacy and security protections for individuals’ health
information.” Public comments are due by February 11, 2019; the RFI is
available at https://www.federalregister.gov/public-inspection/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190122/9a498d41/attachment.html>