Brought to you by MSPmentor
After closing three HIPAA breach cases for a combined $11.4 million in penalties during the first six weeks of 2017, federal authorities haven’t announced the resolution of any new cases in the seven weeks since.
The start-of-the-year rush came on the heels of a record 2016, during which the U.S. Department of Health and Human Services Office of Civil Rights (OCR) collected $23.5 million in fines, up from $6.2 million in 2015.
A recent – relatively clandestine – changing of the guard in the OCR director’s office is raising questions about whether the change in presidential administration has prompted a commensurate pause in the pace of HIPAA audits and settlement agreements.
“I believe there are already a lot of investigations in the pipeline that will result in penalties, and an increase in audits, but nothing else really new,” compliance consultant Mike Semel told TechTarget in a recent article.
The security and privacy rules of the Health Insurance Portability and Accountability Act (HIPAA) have become increasingly important to IT services providers working in the healthcare vertical, where newly digitized businesses offer lucrative opportunities.
But providing IT services in the healthcare industry carries risk for MSPs, who can be held liable as contracted “business associates” in the event electronic protected health information (ePHI) is handled in a manner inconsistent with federal security regulations.
The replacement in recent months of former OCR director Jocelyn Samuels occurred without so much as a news release on the office’s website.
Though it’s unclear precisely when she left the office, a Jan. 9 news release from OCR announcing a HIPAA breach settlement contains a quote from Samuels, while similar releases issued Feb. 1 and Feb. 16 carried quotes from acting director Robinsue Frohboese.
That same low-key approach was observed on March 22, when President Donald Trump appointed to the post Roger Severino, whose bio appears to have been quietly posted to the OCR website that day.
As of this week, there was no photograph attached to his official bio, and his philosophy and approach to the prior administration’s crackdown on mishandling of ePHI remains largely a mystery.
The Trump Administration has indicated it intends to dramatically cut federal regulations and it’s unclear whether HIPAA data privacy rules will be among those to be rolled back.
“Lessening regulation in the privacy and cybersecurity areas has not been an area that’s been addressed thus far in public statements or actions by the new administration,” attorney W. Reese Hirsch is quoted as telling Bloomberg recently.
In 2013, rules went into effect extending financial liability for failure to comply with HIPAA data security rules beyond covered entities - like healthcare providers - to business associates, which essentially includes anyone else who handles ePHI.
The following year, OCR launched a regimen of audits aimed at ensuring business associates were engaged with proper contracts and met the obligations of HIPAA regulations.
Virtually all of the cases being settled during the past couple of years involve violations by covered entities that date back years.
Given the years-long time lapse from the dates of violations until investigations are concluded and cases settled, it’s expected that cash payments involving designated business associates will trend upward in coming years.
Semel, founder and CEO of Semel Consulting, opined in the TechTarget article that since this is a presidential transition year, the incoming administration customarily puts a halt to all previous directives – like stepped up audits – until they complete reviews and set their own policies.
That could mean a slowdown in HIPAA compliance audits of designated business associates, like MSPs.
In the longer run, however, Semel expects the audits to resume with the same voracity as before.
“A change at the White House is unlikely to unravel over 20 years of legislation and rule-making,” he’s quoted as saying.
Given the President’s ambitious agenda, Semel doesn’t expect HIPAA reform to rise to the attention of lawmakers in the near term.
“At no time did I hear any politicians talking about HIPAA, so I don't think it will get a lot of attention,” he said.
This post originally appeared at MSP Mentor.
