Attorney David Holtzman writes:
The HHS Office for Civil Rights, the agency with primary responsibility for regulation of the HIPAA standards, is slated to address a controversial proposal developed under the Trump administration that would make extensive changes to the Privacy Rule, a congressional mandate to expand its mission into the confidentiality of substance use disorder treatment records, and the department’s shifting approach to information security requirements for the healthcare industry.
Holtzman addresses some concerns that I have raised frequently about HHS OCR’s enforcement — or lack thereof:
OCR has been mum on its approach to enforcement of the HIPAA breach and security rules. One explanation could be the impact being felt by the 5th Circuit Court of Appeals decision overturning an enforcement action against the University of Texas MD Anderson Cancer Center.
In that case, in which a covered entity appealed a determination by OCR that resulted in a $4.3 million civil monetary penalty, the court took issue with the processes and analysis employed, which have made it much more difficult for the agency to enforce the HIPAA and HITECH standards.
There are some who believe HHS OCR will need to go back to the drawing board to modify its regulations on when and how it pursues some types of formal enforcement actions.
Read more at GovInfoSecurity.
Certainly, HHS should look at the 60-day from discovery rule and whether it needs to be modified or enforced more, or both. As Holtzman notes and as I have lamented vociferously, while OCR completed more than 20 actions over the past two years involving right to access records timely, in the past year, there have been only two security rule enforcement actions.
Since 2016, blackhats have tried to extort victims in the healthcare sector by telling them about how they will face enforcement actions and penalties from the government. The reality is that covered entities have had almost nothing to fear from HHS on enforcement of security. The real risk, if any, is potential class action lawsuits (even if they fail for lack of standing) and enforcement actions by state attorneys general.
So what will be announced by the end of 2022? I expect we will see restrictions or prohibitions on sharing information relaxed to cover circumstances where there are natural disasters like widescale fires, tornadoes, or floods that result in massive evacuations or loss of records in buildings that have been destroyed. I also expect we will see exceptions to the 60-day from discovery time frame for notifying patients of a breach in the event the system has been encrypted by attackers and the entities cannot figure out whose data were even accessed or potentially exfiltrated. But I hope that hand-in-hand with that tolerance, we will see more enforcement of requirements for better security hygiene.