Health Law Gurus

HIPAA Enforcement Expectations and Updates for 2019

Summing up the results of the previous year, regulatory experts have noted that more than half of the businesses punished for HIPAA lapses in 2018 involved well-known big business entities making it a notable theme of the year. While some experts say that regulators may be relaxing the enforcement of the regulation, others remain confident that the Department of Health and Human Services (HHS) will be committed to a robust HIPAA enforcement in 2019.

To make predictions for the new year, experts are looking at the enforcement trends in the past few years, and 2018 in particular. On the one hand, the number of entities punished in 2018 looks less impressive compared to 2016, when the HHS’s Office of Civil Rights (OCR) announced 13 enforcement actions, collecting a record $23.5 million in settlements and fines. On the other hand, although year 2018 saw only 10 enforcement actions, the total payouts reached $25.7 million including the standout record-smashing $16 million settlement with Anthem, Inc. for data breach involving 79 million people. While the HHS OCR supports deregulation by Trump’s administration, experts are skeptical that OCR enforcement will slow down in the new year.  As was announced by the OCR Director Roger Severino in October 2018 at the 11^th annual HIPAA conference by the National Institute of Standards and Technology, his statement made one year earlier that OCR was looking for “big, juicy, egregious” cases, allowed the federal agency to collect $45M in penalties in the period between January 2017 and October 2018. According to some experts, the 2018 enforcements targeting deep-pocketed healthcare entities confirmed the agency’s desire for big settlements. Others believe that sanctions against high-profile entities could be a mere coincidence and the tendency in 2018 showed that OCR’s enforcement strategies are changing. One thing is clear, some changes to HIPAA requirements are on the way. According to Severino, OCR is currently seeking to eliminate certain regulatory requirements that obstruct the provision of healthcare, and the agency is working hard to eliminate the burdens to allow providers to concentrate on patient treatment.

In mid-December of 2018, the HHS OCR requested public comments on potential changes to HIPAA regulations. The Request for Information (RFI) seeks public input on improving care coordination and reducing the regulatory burden. The effort is to get input from providers, patients and industry professionals on how to improve some of the administrative aspects of HIPAA. The main focus of the RFI is on HIPAA privacy rule which could be modified to promote coordinated, value-based healthcare by promoting information sharing for adults in healthcare emergencies. The OCR is concerned that current regulation “impedes the transformation to value-based health care, and limits or discourages coordinated care” without enhancing patient privacy. The agency is considering to require the sharing of protected health information (PHI) among health care providers, not simply allow it. Such mandatory, rather than permissive PHI sharing could potentially improve coordination of care, improve the value-based care of mental disorders and promote the fight against the opioid crisis. “We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” said Severino. “We are committed to pursuing changes needed to improve quality of care and eliminate the undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.” Public comments are due by February 11, 2019; the RFI is available at https://www.federalregister.gov/public-inspection/