As of June 1st, it has been approximately 132 days since United States President Donald Trump was sworn into office. During this time, Trump's administration has had a considerable effect on the healthcare industry – especially HIPAA. We're going to be breaking down the latest news of the Trump presidency on HIPAA and attempt to determine what the future of HIPAA compliance may hold for healthcare providers under his continued administration.
Enforcement under the new administration continues to stay the course for now
While Trump's presidency has garnered much attention and criticism, especially in regards to health insurance and the Affordable Care Act, one aspect of his presidency that has been overlooked is his dealings with HIPAA. During his first 100 days in office, he has implemented five HIPAA enforcement actions – totaling a staggering $11,631,000. These enforcements were already present in the pipeline during President Obama's administration, but Trump's presidency set them into action. These enforcement actions and their resulting fines include:
2/1/2017: Children’s Medical Center of Dallas (Children’s) – $3.2 Million.
Children’s Medical Center of Dallas llost multiple devices with electronic personal health information (ePHI). While that action alone imposes several security issues with health information privacy, the OCR investigation revealed that while their Security Risk Analysis recommended encryption since 2007. However, they failed to act on this advice for 6 years and instead continued to issue unencrypted devices to employees. Children’s Medical Center chose not to negotiate with the OCR, and simply paid the entire $3.2 million Civil Monetary Penalties determination.
2/16/2017: Memorial Healthcare System – $5.5 Million.
The Memorial Healthcare System in South Florida failed to monitor activity of the account of a terminated user, who accessed the records of 80,000 patients over a one year period. It is errors like these that make HIPAA audits especially crucial.
4/12/2017: Metro Community Provider Network – $400,000.
The Metro Community Provider Network (MCPN) is a federally-qualified health center (FQHC) and safety net provider in Denver, Colorado. However, they failed to conduct a Computer Security Risk Analysis in the event of a cyber threat and failed to manage risks prior to a data breach, thus violating the HIPAA privacy rule.
4/20/2017: Center for Children’s Digestive Health – $31,000.
This 6 physician GI practice in the Chicago area engaged with a patient chart storage company, FileFax, Inc. in 2003. They failed to obtain a HIPAA Business Associate Agreement for 12 years.
4/24/2017: Cardionet – $2.5 Million.
Cardionet, a Philadelphia-area remote wireless cardiac monitoring provider, agreed to a $2.5 settlement. In January 2012, after an investigation of a lost laptop with ePHI of 1391 individuals, the investigation revealed that CardioNet had insufficient risk analysis and risk management processes, and their HIPAA policies and procedures were in draft form — not implemented. All in all, the frequency and amount of these HIPAA violation enforcements tells us that the Trump administration intends to pick up where the Obama administration left off. Essentially, his presidency will uphold the ongoing enforcement of HIPAA.
Proposed budget cuts could make things tougher
Last month, President Trump released a proposed detailed fiscal 2018 budget. The budget proposed huge budget cuts to the Office of National Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR). The ONC and the OCR are the two agencies within the Department of Health and Human Services responsible for health data privacy, security, and HIPAA enforcement. The proposed budget cuts to the ONC is a 36% reduction, reducing its budget from $60 million to $38 million. Full time staff will be reduced from 188 to 162. Meanwhile, the OCR could face a 16% budget cut. This means a potential budget reduction from $39 million to $32.5 million dollars. Additionally, full time staff will be reduced from 177 to 161. These proposed budget cuts can impact HIPAA in a few ways. First, the most obvious impact is that this will make it harder for the OCR to enforce HIPAA violations with limited resources. The OCR had originally planned on conducting more than 200 desk audits of covered entities in the first quarter calendar of 2017. However, that has now been pushed back till further notice. A more important impact of these budget cuts is that the ONC and OCR will not have enough staff and resources to provide guidance to covered entities and business associates about HIPAA. As many know, HIPAA and all of its sub components are complicated. To continue abiding by its regulations, covered entities and business associates need guidance from the ONC and OCR. Without the proper guidance, there is potentially more room for error in interpreting and implementing the HIPAA guidelines.
Wait and see
Given all the challenges in the current healthcare IT field along with a potentially reduced budget, the only thing we can do now is wait and see. In regards to the ONC and OCR, they will have no choice but to make priorities and prove that they can still operate efficiently with reduced resources. Only time will tell if they are able to be viable.