HHS and the Office for Civil Rights (OCR) may be adopting a different approach to HIPAA compliance under the Trump administration, as evidenced by a notable reduction in enforcement actions in the past year. But don’t let down your guard just yet. HIPAA still has teeth.
The last year of the Obama administration saw a significant increase in HIPAA enforcement, with record-setting penalties and new compliance audits targeting both covered entities and business associates. There were 13 resolution agreements totaling almost $25 million in 2016.
That aggressive approach seemed to continue in the first half of 2017, with nine resolution agreements totaling $18 million in penalties. But then the enforcement actions dramatically slowed, explains David P. Saunders, JD, an attorney with the law firm of Jenner & Block in Chicago.
HHS went from commanding headlines with its HIPAA compliance resolutions to no one hearing from them at all for months, Saunders says. Does this signal a new attitude at OCR, one that would remove some heat from healthcare organizations’ efforts to comply with HIPAA?
Not necessarily, Saunders says. “It’s a little too soon to tell if this is the new normal or not, especially with a new secretary to be named,” he says. “That new secretary will have his or her own priorities in terms of how to go about HIPAA enforcement. We don’t know yet what HHS is going to look like under this administration.”
Looking back at the past year does suggest that HHS has been much less active with HIPAA enforcement than in the prior year, and the continuation of aggressive enforcement in the first half of 2017 may have been only a continuation of Obama-era policies until the new administration had time to influence the department, Saunders says.
“It could be because everyone’s attention was taken up with Obamacare reform, or it could be a purposeful new direction, but the objectively true fact is that they are concluding a lot fewer enforcement actions,” he says. “They seem to be more reactionary to breaches than proactive, aggressively so, in the prior year.”
But Saunders cautions that this is not necessarily what the healthcare industry will see from OCR in the next three years. It is possible that this is only a lull until the new administration expresses a clear intent to continue aggressive enforcement, particularly since the agency is waiting for a new director. OCR leaders may be waiting to get the go ahead for continuing enforcement actions at the same level as 2016, he suggests, because the Trump administration has a pro-business stance and has criticized what it calls excessive regulations.
The amount of money at stake may be a factor in deciding to continue the previous level of enforcement, Saunders says.
“Until May of this year HIPAA had been an area of tremendous growth for enforcement actions, going from low-level, million-dollar fines to double-digit, million-dollar fines, and billions in the aggregate,” he says. “They were doing it against not just ordinary run-of-the-mill hospitals, but they were also coming after business associates and not-for-profit hospitals. If you were violating HIPAA, you stood at some risk.”
Those large settlements are major achievements and career boosts for OCR leaders, so it will be hard for them to stop pursuing such trophies, Saunders says. The enforcement strategy could change, but OCR is unlikely to become a pushover in the next three years.
OCR has begun Phase 2 of the HIPAA Audit Program, reviewing the policies and procedures of covered entities and their business associates, and that is likely to yield some significant violations, Saunders says.
The enforcement actions that come out of the Phase 2 audit could bring more clarity to how the Trump administration’s OCR will pursue HIPAA compliance, he says.
Aggressive enforcement and huge settlements could mean a continuation of 2016’s OCR strategy, or smaller settlements could signal a more relaxed approach.
At whatever level, OCR will continue to focus on business associate agreements, Saunders says. OCR has demonstrated that the agreements are a primary concern in audits and enforcement actions, with regulators wanting to see that covered entities have agreements with associates and also that they are monitoring the compliance of contractors and subcontractors.
“It’s great to have the piece of paper, but if you’re not doing anything to confirm that the subcontractor is complying, that exposes you to some risk. HHS has made it clear that you can’t just point to a piece of paper and they’ll assume everything is fine,” Saunders says. “One organization got fined last year because they had the paperwork but weren’t doing anything with it.”
Saunders cautions that the current drop-off in HIPAA enforcement actions is no reason to let up on compliance. Even if OCR does pursue enforcement as much as it did in 2016, covered entities and business associates still have plenty of reasons to comply, he says.
“Don’t be led astray because of the small sample size of what’s going on late in 2017,” he says. “This is still a significant risk factor for any company that handles protected health information. The risk of HIPAA enforcement action is great, and you don’t want to be the next Equifax with not only the financial penalties and losses but also the damage to your reputation.”
- David P. Saunders, JD, Jenner & Block, Chicago. Phone: (312) 923-8388. Email: firstname.lastname@example.org.