The Healthcare industry is no stranger to change. As a new administration settles into the White House it naturally begs the question, “what’s in store?” While the administration has stated a position of ‘less government,’ it’s hard to predict how and when it might impact industry laws and regulations.
According to a report by HealthcareInfoSecurity.com, which polled CISOs, CIOs and other experts after the November election, the consensus was: the new administration won’t have an immediate impact on HIPAA or other healthcare privacy and security regulatory activity. This seems like a good bet. First, it takes time to impact laws and regulations. Second, because HIPAA deals mostly with information security and privacy it’s largely a bi-partisan concern.
Last year, the Department of Health and Human Services’ Office for Civil Rights’ (OCR) said they would ramp up HIPAA compliance audits, including those on Business Associates. It’s unlikely they will change that trajectory any time soon, especially since the audits are essentially self-funded by fines the OCR collects from violations (an estimated $27M in 2016). For risk and compliance teams in the healthcare industry, that means maintaining a mind-set of ‘audit-readiness.’
Let’s quickly address the Executive Order signed by President Trump on the day of his inauguration relating to the Affordable Care Act (ACA). Think back to your civic lessons in school. Congress makes laws. Regulations are issued by federal agencies, boards or commissions to explain how a law will be implemented. An Executive Order can’t overturn an existing law or abolish a regulation. However, it can be used to direct and manage how the federal government operates.
This Executive Order directed the Department of Health and Human Services to:
“Exercise all authority and discretion available to them to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the Act that would impose a fiscal burden on any State or a cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications.”
The order provides guidance on how to carry out elements of the ACA dealing with financial impacts of the law; it does not replace the law.
In addition to federal laws like ACA, most states have enacted their own legislation with regard to the privacy and security of healthcare data. For example, the Massachusetts General Law Chapter 93H and its 201 CMR 17.00 regulations require a written, regularly audited plan to protect PHI.
To sum up, in a regulatory environment where change is constant the trend will likely continue. However, it would take some time to significantly impact existing laws and regulations. It’s practical to stay the course with regard to maintaining your risk and compliance program goals.