AHIMA17: Ex-OCR advisor David Holtzman talks small provider security, federal budget cuts

A new administration in Washington, D.C., means changes for the regulatory landscape and enforcement for health information management, which will be the focus of David Holtzman, vice president of compliance strategies at CynergisTek, during his presentation at this week’s American Health Information Management Association (AHIMA) conference.

Holtzman previously served as senior advisor to HHS’ Office of Civil Rights (OCR) on health information technology and the HIPAA Security Rule. Ahead of the conference, he spoke to HealthExec about how his former agency may change under President Donald Trump and where small healthcare organizations are still being left out of the cybersecurity conversation.

HealthExec: Before we get into concerns on regulatory changes, how concerned should healthcare organizations be about proposed budget cuts to OCR and HHS as a whole under the new administration affecting them?

David Holtzman: The cuts sought by the administration were adopted by the House of Representatives in their spending bill. The Senate has not yet considered the spending plan for FY (fiscal year) 2018. In the absence of a budget passed by Congress, the entire federal government is operating under a temporary measure due to expire in early December that fund the government at existing FY 2017 levels.

However, HHS is not waiting on congressional action of the budget to implement a reorganization plan that puts into place the Trump administration changes to ONC and OCR. ONC's HIPAA related health information privacy and security activities have been axed and the oversight of the EHR certification program has been significantly curtailed.

An early casualty of the proposed cuts to OCR are the agency's HIPAA audit program. In 2016, OCR launched its much-delayed Phase Two of the HIPAA compliance audit program. That included OCR conducting more than 200 remote "desk audits" of covered entities and business associates. OCR officials had originally planned to also conduct a smaller number of more comprehensive on-site audits in the first quarter of calendar 2017. But OCR officials said plans to conduct those onsite audits are on hold and efforts to make the audit program a permanent fixture are off-the-table for now.

Has enforcement at OCR changed at all with the new administration?

It is difficult to tell what changes, if any, in OCR’s enforcement strategy are taking hold under the new administration. In March 2017, Roger Severino took over as the OCR director. His appointment so soon in the new administration was somewhat a surprise because in the Bush and Obama administrations the post had been left vacant for many months.

In the first six months of the year there were nine OCR enforcement actions in which over $17 million has been collected. But, there have been no resolution agreements announced since the end of May. But there has been no let-up on the investigations and reviews for compliance with the HIPAA breach notification and security rules, especially for incidents involving large breach incidents and ransomware attacks. Anecdotal evidence suggests that OCR is concentrating on resolving cases informally through the voluntary compliance efforts of covered entities and business associates.

What are the new regulatory hurdles those in HIM need to know about---or are they the same headaches and challenges they’ve been dealing with for years?

The new administration has brought about a change in regulatory culture. It is very unlikely that HHS, and OCR in particular, will be issuing many significant HIPAA regulations. Recently, OCR described their near-term focus will be on the mandates in the 21st Century Cures Act passed by Congress late in 2016.

What lessons in compliance and security can healthcare take away from the big data breach stories of 2017, like WannaCry and Equifax?

From a compliance perspective, health information management professionals should take heed from OCR, which has guidance and recommendations for all covered entities and business associates to follow in the event they are impacted by a cyberattack. A HIPAA covered entity or business associate can expect that OCR will look for evidence that the steps outlined in their guidance were followed when they open a compliance review in the aftermath of a cyber security incident.

The new guidance on response to a cyberattack or cybersecurity incident can be seen as a reasonable extension to OCR’s guidance that when a third-party individual or machine gains access to an information system that creates, transmits or maintains a covered entity or business associate’s PHI, this constitutes an unauthorized disclosure of PHI.

Having been on both sides of this fence—working for OCR and working for healthcare organization compliance—what do you think both the public and private sectors need to do to improve their relationships with one another to better protect sensitive data?

I am flummoxed by the failure of the health care industry and government to solve the challenge on bringing cybersecurity education and resources to small health care providers and other organizations that handle protected health information. There is consensus agreement that threats that exploit vulnerabilities in the health care cyberinfrastructure grow and evolve at breakneck pace. Better public-private partnerships can help organizations developing a flexible approach to understand, manage and reduce its cybersecurity risk placing the entire health care ecosystem in a better position to defend against large scale, organized attacks like WannaCry and ransomware.

Approaches to developing and implementing programs to safeguard an organization’s information system work best when they manage cybersecurity risk through assessment and mitigation of threats and vulnerabilities, through empowerment of an integrated, multi-disciplinary cybersecurity workforce capable of designing, developing, implementing, and maintaining defensive and offensive cyber strategies.

Helping organizations, especially small health care providers, develop an integrated cybersecurity workforce includes technical and nontechnical roles that are staffed with knowledgeable and experienced people that can address the cybersecurity challenges inherent to preparing their organizations to successfully implement aspects of their missions and business processes connected to cyberspace.