Kirk Nahra: HIPAA, data issues will keep providers on their toes

Looking at the year to come in healthcare privacy and security, there will be many HIPAA and legislative issues providers should keep their eyes on, Kirk Nahra, a partner at Wiley Rein LLP, said during a talk at the 24th National HIPAA Summit in the District of Columbia this week.

Here's some of what the future holds, according to Nahra:

HIPAA: When it comes to enforcement action, Nahra pointed to the two recent HIPAA cases--at North Memorial Health Care of Minnesota and at Feinstein Institute for Medical Research. Drawing from those cases, Nahra said it seems there will be strong enforcement when there have been "significant, repeated or widespread compliance failures," as well as in cases where problems have not been fixed.

The Health and Human Services Department's Office for Civil Rights also will have to figure out how to tackle enforcement for business associates, Nahra said.

From his vantage point, Nahra said, many business associates (BA) are not currently in reasonable compliance with the security rule because they may not have the appropriate risk assessment, risk management and documentation. That's not surprising, he said, given the enormous variety in the BA community. However, that also means the industry is at a point right now where there is little consistency from one BA to the next.

"I think that is going to present real enforcement challenges and real enforcement judgment challenges," Nahra said.

It's something the industry needs to watch, he added, but people should not overreact or jump to conclusions based on the first case that comes out.

21st Century Cures Act: "There are a couple privacy provisions in the bill that I would characterize as bizarre," Nahra said, referring to legislation that aims to speed up the approval process for new medical devices and drugs

Because these portions are a very small part of an extensive bill that otherwise has tremendous support, almost no one has paid attention to them, he said.

One of those provisions is designed to expand the availability of healthcare data to be used for research purposes. Basically, he said, what the legislation does is turn research into healthcare operations. That means data can be used--and more importantly disclosed--for any research purpose. "That takes a little problem and opens up a bigger can of worms without really any consideration of what that's going to do," Nahra said.

The other provision says the industry will call anything that is research connected to Food and Drug Administration-related activities "public health." For anything that fits those definitions, they're going to remove the HIPAA limitation on paying for data.

"So now you can pay anything you want for data for anything you can call research, which to me seems kind of odd," he said.

Data outside HIPAA: The most interesting issue going on with healthcare data, Nahra said, is that health information is being gathered in ways that have little or nothing to do with the security and privacy rules.

Health data obtained outside HIPAA, through apps and wearables, is now being brought into the HIPAA structure, he said.

"What we are seeing is an extensive debate on what to do about this non-HIPAA information," he said. "There is a lot of pressure to do something about this; there is, however, no consensus on what that something is.

"There's too much data being used by too many people in too many risky contexts to do nothing about this," Nahra added. "The challenge that we're going to see is how to address all this."