S3 E16: Changes at HHS and the Impact on HIPAA

Audio version

Changes at HHS and the Impact on HIPAA

Transcript

Jordan Eisner (00:00)
Yay, here we are. Welcome back to another episode of Compliance Pointers. I am your host Jordan Eisner and I’m excited to welcome Sarah Reckling to the podcast today. This is Sarah’s first guest appearance on the Compliance Pointers podcast. How are you Sarah?

Sarah Reckling (00:18)
I’m doing good, Jordan. Excited to be here.

Jordan Eisner (00:21)
All right, that’s what I wanted to hear. Because if you weren’t, we could just end it.

Sarah Reckling (00:26)
Sure. No, no, we have to continue.

Jordan Eisner (00:31)
So Sarah is a consultant in our data privacy practice, her specialty, generally data privacy, but more specifically HIPAA within privacy law. She’s an attorney. She has a master’s degree as well. think, and let me know if I’m messing things up here, Sarah, but Public Health Administration.

Sarah Reckling (00:53)
So close Jordan health administration.

Jordan Eisner (00:57)
Masters in Health Administration. She’s an attorney and she’s a specialist in HIPAA. So a great resource and wealth of information when we’re talking about that space. And so today we want to understand from her, her opinion, her thoughts on changes at the Department of Health and Human Services following the election and how that could impact HIPAA and maybe specifically investigations. So let’s dive right in.

How has the HHS changed since the Trump inauguration and the appointment of Robert Kennedy Jr.?

Sarah Reckling (01:41)
Sure. So to put it simply, I mean, it’s changed a lot. Even last week, we had a bit of an update from the White House Office of Management and Budget. They sent a formal budget proposal to Congress recommending basically an overall funding cut from what was 168.8 billion to 80.4 billion, which is pretty stark. 30%, which is quite a bit.

Jordan Eisner (02:13)
You said they’re cutting 80 from 168.

Sarah Reckling (02:22)
Yeah, they’re cutting from 168.8 to 80.4. So pretty significant that we’ve seen for budget cuts, at least especially for HHS. And I know a lot of questions have been centering over, you know, where this budget cut is gonna go. And it’s primarily towards smaller agencies and programs under HHS. So the substance abuse mental health services admin, health resources and services admin. a bunch of smaller ones.
So they haven’t talked about OCR, at least that hasn’t been the grumblings quite yet. I guess we’ll see how that goes or if that goes through with Congress. But in addition to the budget we have seen as I’m sure everyone has saw that there’s been a pretty big increase in cutting jobs. There is about 20,000 jobs that were cut under HHS specifically. Their focus, his focus, the secretary’s focus is really to focus on the America, for Health America, which is AHA.

But I’ve been getting a lot of questions Jordan about like, how is this going to affect HIPAA investigations, right? Because with a decrease in staff, decrease in budget, like what does this even look like? I know a lot of folks in the industry just chatting with them. Their predictions is that, well, these investigations that HHS does under OCR are pretty profitable. So they’re just thinking, you know, hey, this makes a lot of money. Why wouldn’t they not continue?

However, on the flip side of that is even though these lead to significant civil monetary penalties, I mean, it’s not entirely accurate to say they’re profitable, right? Because the penalties serve as a deterrent to recoup costs associated with violations.

Honestly, to think about it is I think that the HIPAA investigations are probably going to not end. They’re still going to be flagged primarily by patient complaints that are reported to HHS as well as OCR flags those investigations that involve 500-plus individuals. That’s where they’re really starting those investigations, but I don’t think they’ll be as many as there have been just because first of all, there’s just not enough folks in HHS right now to do and perform.

Jordan Eisner (05:22)
Yeah, there’s less people. Go ahead, finish the point and then I have a follow up question.

Sarah Reckling (05:29)
So, I mean, like I said, during the Biden administration, there was a big push, right? We saw a lot of investigations, a lot of settlements come through, but I just don’t think at this time that is the focus of the Trump administration and or the secretary. I think the big focus right now, at least, is the administration for a healthy America again, to really battle chronic care and disease prevention programs.

So I think that’s probably going to be the focus right now.

Jordan Eisner (06:03)
So, and you talk about a lot of investigations taking place under the previous administration. And this could be anecdotal, but a lot of times when I sift through some of the investigations or the enforcements, seem like they would be sometimes 10 years in the works. The incident would be that old, and then they’re finally getting around to doing some of that. Is that common? Is that I mean they typically take a long time. Was I just seeing the ones that took that long a time and now? Given the cut in staff and the emphasis on deregulation and some of the prioritization away from this, if there are any, are they going to take 20 years? To come around because some business. Maybe I’m not too concerned about that right or wrong.

Sarah Reckling (06:55)
Right, so I think I think your question is pretty loaded, right? So organizations don’t want to spend years and years on investigation. There’s just a lot of work that goes into them. A lot of evidence that needs to be produced. So I think the overall always goal is to get these done as quickly as possible. Whether that’s an ability is a bigger question, right? I guess it depends on how big.

What like I guess, what is the issue that they found? Right? Is it something like there wasn’t a couple policy procedures or are we talking like a security breach? Right. Where we’re affecting, you know, many, many thousands of individuals. So I think it really depends on what the situation is. A lot of times these these do investigations do take a long time and they are lengthy and, you know, they require a lot of evidence to be produced.

So unfortunately they do take a long time, but the goal is to be as quick as possible. mean, I’ve never really heard of one that goes for 20 years, although there could have been. I hope for everyone’s sake that doesn’t happen. But I feel like with the decrease in amount of staff in HHS now, I mean, there could be a very real possibility that investigations that took perhaps six months might take longer just because there’s less staff, so it’s gonna just take longer to get through each investigation that’s on their plate. So that could be a real plus.

Jordan Eisner (08:27)
Everybody involved. OK, so shifting gears and one of the things you were talking about there was. The security rules are three rules under HIPAA law. Privacy, security and breach. Let me know if there’s another that I’ve left out, but. You know. You talked about. What’s the severity of some of the investigations? What was the incident? Was it about, you know, was it maybe not violation of security rule, but was there a security issue as part of that?

Security, obviously, last year and years prior, very important to this industry, continues to be attacked by bad agents. If there’s a de-prioritization, maybe that’s not the right word, but if attention is focused elsewhere beyond some of these regulations and the security rule, where does that lead the state of things from securing PHI standpoint and some of the enforcement and the concern and the scrutiny around the importance of that, which I think everybody would agree is pretty vital.

Sarah Reckling (09:41)
Sure, yeah, I feel like that’s a topic everyone’s talking about is like what is the status of the security rule? How do we go about it? Just to give some content for the listeners, know, HHS proposed a new rule to update the security rule on January 6th. Basically, in my opinion, to really bolster just baseline requirements to the security rule. The security rule itself has been great that it was implemented, although I feel like itself has its, the biggest strengths were also its biggest weaknesses. Let’s just put it that way, is that it has requirements, but it really lacked in providing clarity to what those requirements are.
I think that this new proposed rule, if it does go to, you know, the finalized rule and goes through that it really will give organizations clarity on what to do, right? Because I feel like a lot of companies now are like, well, what is this going to add to my security plate, right? What else am I going to have to do? And I think from just looking at the rule, there are five main areas where they focus. Obviously not a conclusive list.

But a lot of the specifications that were relegated as addressable are now being pushed to required, such as doing an annual risk analysis, revisions to policy and procedures, making sure there’s penetration testing. I know the second one, which is huge that we saw would change healthcare, for example, is multi-factor authentication.

You know, in that situation for change healthcare, they really felt like the ransom attack was a lack of having MFA and just not having data encryption for your PHI that’s both at rest and in transit. Some of the other biggest concerns that I feel like we’ve been seeing a lot recently, even the last couple of weeks, I’ve seen some HHS settlements that have happened out of just not having business associate agreements, as well as not having business associates having security measures in place and verifying that they have those measures in place, which is, is huge, right?

Jordan Eisner (12:16)
It’s a tall task as well.

Sarah Reckling (12:28)
It is, it is. It’s a lot of work, right, to monitor them as well as monitoring your own company or organization, but it’s, really important to know where what is happening to your PHI once it leaves your org, right?

Which kind of goes to my next point is that the security rule would be bolstered with this new proposed rule with requiring detailed maps outlining the flow of PHI, as well as mandating like a comprehensive inventory of your assets in your environment just to confirm like you know where your PHI is sitting and where it’s going at all times.

Yeah, which is super important. Yes, lengthy and it does take a lot of manual labor. But you know, knowing where all your PHI is is really, really important.

Jordan Eisner (13:10)
Yeah, I see them. I for us in the industry, maybe in in not being fully aware of the implications that this could mean for. Those that it’s subject to all this seems like a catch up, frankly. And and these are things that other you know best practice security frameworks have recommended for years. So I’m in favor as a consumer patient.

You know if you will, but understanding that there’s there’s more implications of business and that’s why. Or those providing care covered entities. That’s why some of this. Has debate and conversation for goes into effect, but. Would you agree with that? These are not. Other than maybe the requirement for mapping and inventory and how they show evidence of that, all the other things to me seem like low hanging fruit that.

Probably should be happening anyway.

Sarah Reckling (14:12)
I couldn’t agree with you more. feel like to be honest, what the security rule already has is baseline. And I just think this is making those baselines all very much required, right? Right now they’re addressable. And I think it gives clarity, but to be honest, I feel like all of these new, and everything that’s in the new proposed rule is something that already should be happening. And also from just the standpoint of organizations, it’s just, good protocol, good ethics, right? To do all of these things to make sure that protected health information is protected, right? So I think it’s not really adding anything particularly new, it’s just really cleaning it up, right?

Jordan Eisner (15:01)
Yeah, and we’ll see how they, you know, if it has teeth to it, think is also an important part. do you anticipate any aspects of HIPAA being emphasized by the new administration?

Sarah Reckling (15:17)
Sure, good question, Jordan. So, I mean, the new administration has made it clear their focus is on deregulation, right? The White House hasn’t specifically, you know, had a conversation clearly about HIPP investigations, the security role, right? That hasn’t been directly discussed. The secretary also hasn’t spoken whether he’s going to shift focus to it or not, but I think regardless of. Those two conversations happening, you know, cyber attacks are not going to stop disclosures of PHI are not going to stop. You know, it’s really important to make sure your organization is following all three of the rules because they’re not going anywhere, right? Like even if the.

Government is not having conversations. That doesn’t mean you should stop having those conversations. And OCR is not going to stop their investigations, even though they’ll be limited, right? But who knows when they could knock on your door? You have no idea. So I think the biggest offenses and where I think orgs should put a lot of their attention on is

You know, first and foremost, having those administrative, physical and technical safeguards in place, and that would include, you know, just walking around your organization, seeing is this computer screen visible from the window outside, right? It can be those little things that have huge consequences. Like I mentioned earlier, like check your check your vendors.

Check your business associate agreements. Are you checking in on them? Are they up to date? Are they requiring security protocols that meet your organization’s protocols, right? Right, right. And I think a lot of things that get missed from the business associate is, are you requiring them to provide you proof that they disposed of the PHI once the BAA is

Jordan Eisner (17:12)
How are you verifying that?

Sarah Reckling (17:28)
is closed and completed, right? I think the follow-up during and the follow-up after is super important. And I think one of the last really big points, even though this has been a conclusive list, is making sure you’re doing your annual risk analysis, risk assessment, because you just don’t know where you’re going to it lives and if your applications and data systems aren’t using ephi right, it’s really important to do that.

Jordan Eisner (18:03)
Vulnerabilities are going to change. know that landslide as your business evolves or sorry I keep saying business but you know organization as it evolves and you onboard off board vendors, onboard off board contractors, onboard off board different employees, add locations, remove locations, switch software, you know it’s all going to change and I agree you know the threat landscape. could change and adjusting for those risks and ensuring that you’re treating them accordingly is very, very vital.

Sarah Reckling (18:37)
Couldn’t agree more, yes, and I think another area too is organizations forget as soon as you kind of make changes big or small to your applications, you know anything in your in your environment. I mean you gotta follow up and check on that right to see how that has touched or affected your PHI.

Jordan Eisner (18:57)
Yeah, yeah, you should do a privacy impact assessment.

Sarah Reckling (19:01)
There we go, yes.

Jordan Eisner (19:03)
I should add that to one of the amended rules for her.

Sarah Reckling (19:07)
Maybe we’ll propose that Jordan.

Jordan Eisner (19:10)
Yeah, no, no, no, I don’t watch my hands of any proposing on these regs. We are we are outside of that. We just help companies navigate him. What else Sarah? I guess in closing for somebody listening or watching this podcast, we’ve talked a lot about HIPAA, the new administration, the deregulation. What else is still concerning the new proposed HIPAA security rule requirements? What else do think would be relevant to tie off on to end this podcast and the privacy security landscape in general in the healthcare industry?

Sarah Reckling (19:43)
Sure, so you know, no matter which direction the pendulum swims swings with the discussions about HIPAA investigations or the security rule, I think the biggest takeaway is, you know, listening, reading about the past investigations that HHS has settled on because that can be a great learning tool for what organizations should stay clear of doing or how they should bolster their organization generally to protect PHI, as well as just emphasizing the point earlier made that even though there are less, perhaps going to be less conversations about HIPAA and the importance of bolstering security is just not to stop having those conversations because the issues of cyber attacks as well as disclosures of PHI, whether large or small, are still going to be happening.

So it’s still very relevant no matter what.

Jordan Eisner (20:46)
Yeah, good stuff. Well, listen, I knew this before we even got started, but we’re going to have have you back. Very informative. Thank you for keeping abreast of all these things for our clients and now for our podcast listeners and watchers so. And for those of you listening and watching Sarah works like I said in our privacy group here at CompliancePoint. She provides this sort of advisory and I’d say industry awareness for our clients on an ongoing basis. And this is just one area that CompliancePoint provides services in, in the industry or focuses of information security, information privacy and regulatory compliance. So don’t hesitate to reach out, compliancepoint.com. can email us directly at connect at compliancepoint.com if you have questions or you want to talk with an expert like Sarah. And don’t forget to subscribe to the podcast for more content like this. We produce this pretty much weekly.

And leave us a review or feedback if you’re enjoying it. Until then, everybody be well.

Sarah Reckling (21:52)
Thanks, Jordan.