Department of Health and Human Services’ (HSS) Office for Civil Rights (OCR) Director Roger Severino gave some hints on the likely changes affecting the HIPAA in 2018. Because the Trump administration lobbied for a decrease and not an increase in regulation in the U.S., HSS responded that there will be deregulation in some areas before the introduction of further regulations. While there will not be major 2018 HIPAA changes, there will be a lifting of administrative burden on healthcare organizations. And one thing is for sure, HIPAA enforcements is unlikely to slow down.
OCR is now reviewing the current HIPAA regulations to see which part remains relevant and which areas can done away with to simplify the life of healthcare organizations. In particular, OCR is weighing the benefit of various HIPAA provisions versus the costs. HHS is streamlining regulations, minimizing duplicate requirements, eliminating outdated restrictions and obsolete regulations.
Since the signing of the HIPAA Enforcement Rule into law, the activities in HIPAA enforcement by OCR significantly increased. In 2016, OCR issued one civil monetary penalty and there were 12 settlement cases. In 2017, there was one civil monetary penalty and 9 settlement cases. Will 2018 see the same level of activities in HIPAA enforcement?
At the HIMSS Conference, OCR Director Roger Severino confirmed in his presentation that OCR will not slow down but will continue pursuing settlements with covered entities and business associates that violate HIPAA rules. The enforcement efforts will not only be directed on large healthcare organizations for “big, juicy, egregious cases.” Even small healthcare organizations will be punished if found to have violated HIPAA rules.
Severino explained that OCR does not really want to issue fines on healthcare organizations, but covered entities and business associates must improve their compliance programs. So, HIPAA enforcement in 2018 will likely see more penalties issued for common HIPAA violations like neglecting to conduct regular risk assessments.
Both OCR and state Attorneys general enforce HIPAA rules. OCR already issued two settlements in 2018. The first is a $100,000 penalty for Filefax, Inc. The second is a $3,500,000 settlement with Fresenius Medical Care North America. The New York AG recently fined two violators — Aetna paid $1,150,000 in January and EmblemHealth paid $575,000 in March. These activities in HIPAA enforcement are just the beginning this year.
American healthcare organizations and business associates that serve patients, customers or partners in Europe need to comply with the EU General Data Protection Regulation or GDPR. All companies doing business with EU nationals are mandated to comply with GDPR starting May 25, 2018. Failure to comply will attract financial penalties of as much as 20,000,000 Euros or 4% of the annual global turnover of the company, whichever is higher. Since the GDPR and the HIPAA Privacy and Security Rules have overlapping requirements, U.S. healthcare organizations will have an easier time complying than other businesses. But there’s no guarantee of compliance.