To state the obvious, there has been some uncertainty regarding how the Trump Administration will affect federal agency enforcement efforts. However, at least, in regard to HIPAA Privacy and Security, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), appears to be unchanging in its previous course.
In the first four months of 2017, OCR has already announced seven settlements with covered entities and business associates with fines totaling over $14 million. For some context, OCR assessed over $23.5 million in 2016, which was a record-breaking year. These settlements are in addition to Phase 2 of OCR’s Privacy, Security, and Breach Notification Audit Program, which started in 2016 and is likely still underway.
The Phase 2 audits are being conducted in three rounds. Rounds 1 and 2 were remote desk audits of covered entities and business associates, and examined compliance with specific requirements of the Privacy, Security, or Breach Notification Rules. Although Round 2 was expected to start in late September 2016 and end by December 2016, OCR delayed the start of Round 2 until after the 2016 Thanksgiving holiday. Round 3 is onsite audits of covered entities and business associates and will examine a broader scope of requirements from the HIPAA Rules than desk audits. Some desk auditees may be subject to a subsequent onsite audit.
In late March, the Trump Administration appointed Roger Severino as the Director of OCR. Mr. Severino comes from the Heritage Foundation, a conservative think tank. Generally it is too soon to determine how the new leadership will affect OCR’s HIPAA enforcement efforts in the long term. However, given the fact that HIPAA enforcement is not a major partisan issue, particularly when compared to health reform, it is possible that OCR may continue its course.
Therefore covered entities and business associates may be well advised to continue their course in HIPAA compliance efforts, which include, amongst other things, implementing privacy and security policies and procedures, ensuring business associate agreements are executed, and conducting risk analysis to assess the risks and vulnerabilities of e-PHI.