Government & Policy
Despite Trump health policy chaos, hospitals can count on more HIPAA audits and fines, privacy lawyer says
Pamela Hepp predicts that Congress will not ultimately repeal the ACA. But even as Republicans look to shrink government, they are historically strong on enforcement — and HIPAA will not be an exception.
Amid all the rhetoric about repealing and replacing Obamacare, one thing healthcare and information security executives should expect to remain constant: HIPAA audits and subsequent financial penalties.
“President Trump has indicated there are certain areas of enforcement that will either continue or ratchet up," said Pamela Hepp, healthcare attorney for Pittsburgh-based Buchanan, Ingersoll & Rooney. "Which is not surprising: Republican administrations may be, as a general rule, in favor of smaller government, but they do tend to be stronger when it comes to enforcement."
Indeed, this past month alone has seen three big monetary enforcements from HHS's Office for Civil Rights – $31,000 here, $400,000 there, $2.5 million over there – for infractions such as failure to have a business associate's agreement in place, lack of security management process and impermissible disclosure of protected health information.
OCR pledged more on-site HIPAA audits in December 2016, and so far it looks like the agency has kept its promise.
"There has been an indication, from a data security standpoint, that they will remain strong," Hepp said. "We have seen an increase in enforcement activity, and I don't see that changing."
Ransomware has been rampant these past couple years, for example, and cybercrooks' ability to perpetrate and propagate those attacks is enabled greatly by healthcare organizations widespread lack of infosec basics such as patch management, regular updates and of course risk assessments to pinpoint vulnerabilities and put security controls in place that address those.
"Those are all issues that OCR has identified as part of their Phase 1 audits, and are focusing on for their Phase 2 audits," said Hepp. "So I think that's in keeping with what OCR has been seeing, and what you've been seeing with some of the breaches."
What's more, when OCR is notified of a breach or receives patient complaints, the agency investigates and Hepp said she’s seeing OCR look into situations that in the past perhaps they did not.
"Right now I would say that we're in an enhanced enforcement environment,” Hepp said. “I don't believe that's going to change."
The fate of the Affordable Care Act, however, remains undecided. And even if the Republican Congress fails once more to replace the law with its retooled American Health Care Act, there's little reason to think GOP lawmakers wouldn't circle back around again for a third crack at ACA repeal. So for now, uncertainty reigns.
But as a longtime lawyer in the healthcare space, Hepp noted that every new administration changes rules in one way or another. That's just something that she, and her healthcare clients, have to deal with.
At any rate, her hunch is that the ACA ultimately will not be repealed.
"So much of the train has left the station with how payment is being made that the focus is now on quality and that's resulted in changes in not just the delivery itself, but in the delivery system – ACOs, clinically integrated networks – all for the purpose of being able to demonstrate savings, which requires coordination of care, all of which requires access to information," Hepp said. "And I don't see any of that going away."