Last week, the Trump administration tapped Roger Severino to head the U.S. Office for Civil Rights, part of the Department of Health and Human Services. The new director is a conservative who formerly worked at right-wing think tank The Heritage Foundation, where he focused on religious freedom, marriage, and "life issues," according to the foundation's site.
His appointment was met with significant criticism from civil rights groups, including the National Center for Transgender Equality, Human Rights Campaign, and the Center for American Progress, who say Severino has spent his career undermining the rights of women, gays, and the transgendered. The groups are concerned about his ability, or willingness, to protect all Americans' civil rights. Indeed, the OCR director is charged with the task. But he's also in charge of enforcing the nation's laws on protecting health data's privacy and security.
What will Severino's leadership mean to privacy pros working in that space? Well, that's a bit of a guessing game right now. But given the various hats he'll wear, some privacy pros aren't expecting much of a focus on privacy. Not that that would be remarkably different from past directors, says Adam Greene of Davis Wright Tremaine.
"Historically, I don't recall one instance where the director came in with a background focused on privacy and security," he said. "Rather, it's the Office for Civil Rights, and you tend to have directors with more of a civil rights background."
Kirk Nahra, an attorney at Wiley Rein, said former OCR Director Jocelyn Samuels was of a civil rights background, which meant the HIPAA staff at OCR took the lead on privacy and security. That's a trend he expects to continue.
"Most of that HIPAA staff is still there," he said. "I don't expect there to be a lot of change in the short term."
He added that there isn't a lot of partisanship surrounding HIPAA's Privacy and Security Rules, so, "I don't think conservatives are coming in and saying, 'Let's blow up these people's privacy rights.'"
Nahra says, in general, OCR is and always has been a "thoughtful, reasonable enforcement agency." He doesn't anticipate the new leadership to come in swinging, going after entities covered under the HITECH Act and subject to HIPAA audits in ways inconsistent with recent history.
"[OCR] can tell the difference between someone who is trying and it just didn't work and people who aren't trying," Nahra said of the agency's enforcement appetite. "It's not that you get one free breach or one free violation, but their cases have tended to be people who have had repeated problems, or people who haven't fixed problems rather than the first time something went wrong."
Lucia Savage, CPO at Omada Health, was formerly the CPO at the National Coordinator for Health IT. "It's really important to understand that OCR has many obligations, and privacy is only one of them," she said. "That's a lot of stuff besides HIPAA. ... There are many things they have burning on the stove that are not HIPAA related."
That said, she anticipates HIPAA audits — phase two was launched this time last year — to continue, in part because the political pressure surrounding data security is heightened.
"I wouldn't expect a giant shakeup, except in two ways," she said. She sees the agency implementing the powers it was given under the 21st Century Cures Act, a bipartisan bill signed into law by President Barack Obama in December. Under Cures, OCR is to issue new guidance on when health providers can disclose personal health information to family members. Cures also brings new uncertainties over information-sharing. Specifically, it forbids "information-blocking" by healthcare providers or health-exchanges, which gets complicated juxtaposed with HIPAA's restrictions on sharing in certain cases. Under Cures, in cases of alleged information-blocking, OCR is to engage with the Inspector General to determine the appropriate action.
"OCR is the interpreter of the regulations," she said. "They will play a key role. Whether behind the scenes or in public, I don't know."
Greene said he's heard rumblings that current OCR staff want to focus on creating guidance on texting and social media as it pertains to healthcare, as well as plans to clarify information-sharing rules, such as "how to distinguish between requests that come from an individual, patient, or plan member, as compared to one that comes from a third-party, such as an attorney."
Nahra said he's watching OCR for changes to how it does enforcement regarding business associates. Business associates are subject to most of the same rules under HIPAA as covered entities, the problem being that a "business associate" can be any company working with a covered entity, the extent of which varies greatly.
"If you have just one piece of patient information, you have to comply in fully with the HIPAA Security Rule, and that's just weird," he said. A business associate whose health data dealings account for a modest percentage of its overall operations, say, three percent, really shouldn't be subject to the same kind of audit requirements as an associate working with health data 60 percent of the time, for example.
"So, they have a real challenge on how to deal with some of those situations," he said.
For now, it's unclear if those kinds of challenges are on Severino's radar or not.
If you want to comment on this post, you need to login.