With the completion of the first year of the Trump Administration being in office and following a number of changes in important areas of law such as trade and taxation, many are wondering what modifications may be made to the Health Insurance Portability and Accountability Act (HIPAA) and what new HIPAA rules will be introduced in 2018.
As technology and society evolves, it is the duty of good legislation to evolve along with it. As noted above, different political climates also affect how regulations are applied and enforced. Within the first month of his presidency, Mr. Trump signed an executive order which was aimed at reducing the overall level of regulation across governmental departments. The quote given at the time was that “if there’s a new regulation, they [the regulatory body] have to knock out two”. To clarify, this means that two existing regulations must be gotten rid of for any one new regulation that is being introduced.
Unsurprisingly, this has ushered in a trend of deregulation. If two rules have to be deleted for one to be introduced, there must be an evident pressing need for the new regulation and existing statutes must be thoroughly examined in order to identify the outdated or least important elements that can be removed without causing much damage.
In keeping with this, it is unlikely that we will see major changes to HIPAA rules in 2018. Having said this, there are three areas where modifications have been publicly proposed by the Department of Health and Human Services Office for Civil Rights (OCR) Director Roger Severino. The complete register of changes under consideration is not available at the time of writing.
In relation to the slated changes that we are aware of, the focus seems to be on reducing administrative load, improving treatment of victims of breaches, and adapting consent. In all cases, there will be a comment period during which advice and thoughts will be sought from industry players and other stakeholders in the healthcare space.
Restitution for data breach victims
The OCR was given the ability to impose fines and civil monetary penalties on institutions that were found to be violating HIPAA. Some of this was allowed to be kept by the OCR with the purpose of acting as an aid to funding enforcement. However, it is permitted that an amount can also be awarded to the victims of data breaches or violations. An examination is underway as to how to best implement this restitution system.
Currently, there are some instances when protected health information (PHI) can be shared without previously receiving consent from the patient. This can happen if a patient is in imminent danger for example. The OCR is looking into broadening the good faith disclosures of PHI to include things such as the sharing PHI with family members and close friends should a patient be incapacitated or in cases of opioid drug abuse, for example.