Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “6 Compliance Trends Likely to Affect Your Practices in 2016.” Full text can be found in the January 13, 2016, issue, but a synopsis is below.
For her article, Marla asked various health law professionals to make predictions on matters such as HIPAA enforcement, the involvement of federal agencies in privacy and data security, and actions related to the Office for Civil Rights (“OCR”) of the federal Department of Health and Human Services (“HHS”).
After the interview with Marla was published, I noted that each of Elizabeth’s and my predictions described below happened to touch on our anticipation of the expansion by HHS and other federal agencies of their scope and areas of healthcare privacy regulation and enforcement. I believe that this trend is not a coincidence in this Presidential election year, as such agencies endeavor to showcase their regulatory activities and enlarge their enforcement footprints in advance of possible changes in the regulatory environment under a new administration in 2017. If an agency can demonstrate effectiveness and success during 2016 in new areas, it can make a stronger case for funding human and other resources to continue its activities in 2017 and thereafter.
Our predictions that were quoted by Marla follow.
Kline Prediction: Privacy and data enforcement actions will receive more attention from federal agencies outside of the OCR.
In light of the amount of breaches that took place in 2015, the New Year will most likely see an increase of HIPAA enforcement. However, regulators outside of healthcare –such as the Department of Homeland Security, the Securities and Exchange Commission and the Federal Communications Commission — also try to extend their foothold into the healthcare compliance realm, much in a way that the Federal Trade Commission has.
Litten Prediction: The Department of Justice (DOJ) and the OCR will focus more on individual liability
In September of 2015, the DOJ announced through the Yates Memo, that they would be shifting their strategy to hold individuals to a higher level of accountability for an entity’s wrongdoing. The OCR has also mentioned that they will focus more on individuals who violate HIPAA. “They’re trying to put the fear in smaller entities. A small breach is as important as a big one,” says Litten.
Kline Prediction: OCR will examine business associate relationships.
The HIPAA permanent audit program, which has been delayed by the OCR, will be rolled out in 2016 and will scrutinize several business associates. In turn, all business associate relationships will receive increased attention. According to Kline, “There will be more focus on how you selected and use a business associate and what due diligence you used. People also will be more careful about reviewing the content of business associate agreements and determining whether one between the parties is needed.”
We shall continue to observe whether the apparent trend of federal agencies to grow their reach into regulation of healthcare privacy continues as we approach the Presidential election.