In the past week, OCR has released two new issuances touching on HIPAA interpretation and enforcement. On the one hand, the regulated community eagerly awaits and devours these morsels as they are doled out. On the other hand, these particular morsels are unremarkable sub-regulatory issuances; one restates and interprets regulations in a manner that comes as no surprise to those of us immersed in HIPAA and the other announces an approach to exercising enforcement discretion that may well change again in the future.
Here are the specifics:
First: Five new FAQs on HIPAA — The HIPAA access right, health apps, & APIs. The questions center on whether apps not developed and delivered by a covered entity or a business associate or a downstream contractor of a business associate are covered by HIPAA and whether upstream regulated parties (CEs and BAs) are liable for inappropriate releases of data by such third parties. Unsurprisingly, the answer is no — a patients may direct a CE to release their PHI in whatever manner or format a patient desires, so long as the CE is set up to do so. Secure API to an app, insecure email at the patient’s direction so long as the patient is aware of the potential issues — all OK; it’s up to the patient. A couple of the FAQs focus on the slightly more complicated situation where an app developer may be acting on behalf of a CE or BA, in which case the delivery of the PHI via the app is subject to HIPAA, and any potential breach could yield liability up and down the food chain.
Of course, breaches not covered by HIPAA are covered by the FTC health data breach notification rule issued under the HITECH Act.
(Some of us would rather see OCR using its capital to insist that CEs release PHI at the direction of patients — something that is still much harder for many patients than it should be — or to issue a FAQ confirming that sending PHI via SMS should be seen in the same light as sending PHI via email.)
Second: OCR has adjusted downward the maximum fines that it will assess for HIPAA breaches under the HIPAA Enforcement Rule. Whether or not OCR makes such an announcement in advance, it has the discretion to impose fines lower than the maximum. However, the agency has announced that it erred (in its incarnation under the previous Administration) in interpreting an internally inconsistent statute and that it has now identified the corect interpretation, which leads to permitting fines of $1.5 million only in extensive cases of uncorrected willful neglect.
Given this retrenchment, I expect the regulated community will breathe easier, knowing that it is unlikely to face multi-million-dollar fines for lower levels of culpability. However, the agency has been measured in assessing fines and — quite frankly — fines (low, high, or indifferent) don’t seem to be having a significant effect on the frequency or severity of breaches in the wild. In any event, signaling that fines will be lower is not likely to improve compliance.
Despite these announcements, covered entities, business associates and app developers not covered by HIPAA must all remain vigilant and hew to a higher standard in order to maintain the privacy and security of sensitive data.