Newly confirmed Department of Health and Human Services (HHS) Secretary Tom Price is no fan of federal regulations, leaving providers and cybersecurity leaders wondering how his views will translate to HIPAA and cybersecurity enforcement.
Price has already expressed distaste for Meaningful Use requirements, arguing that they have turned physicians into “data entry clerks,” but he concedes that EHRs are “important from an innovation standpoint.”
Although he has not voiced his position on HIPAA regulations, as an advocate for reducing burdensome regulations for physicians, Price may be skeptical of stringent HIPAA requirements, Adam Greene, an attorney with Davis Wright Tremaine told GovInfoSecurity.
Others questioned how HIPAA enforcement would proceed under a Price-appointed director of the Office of Civil Rights following previous OCR leadership that issued a record number of HIPAA settlements in 2016.
Price could ease the requirements under HIPAA, although paring back cybersecurity requirements could also translate to more data breaches, according to HIPAA Journal. Any update to the law that adds new security requirements could also be subject to President Trump’s “two-for-one” regulation order.
Dave Summitt, CISO and director of cybersecurity operations at Moffitt Cancer Center, told GovInfoSecurity that easing cybersecurity regulations embedded in HIPAA and the HITECH Act would have a detrimental impact given the healthcare industry’s subpar approach to cybersecurity.
“Healthcare security professionals have had an uphill battle for several years in helping boards and leaders understand cyber risks, and we've come a long way,” Summit said of scaled-back security requirements. “I believe this would slow the progress.”