A loss in a court case, two new federal laws and their own thoughts on how to revise the privacy rule will be keeping officials from the HHS Office for Civil Rights (OCR) busy in the coming months writing rules and regulations. The range of topics OCR will address includes its enforcement approach, harmonization of 42 C.F.R. Part 2 regulations governing substance use records, security practices that would mitigate sanctions, and changes to medical records access requirements, among others.
More information is known about some of these actions than others, but all of them will affect covered entities (CEs) and business associates (BAs). Privacy and security compliance officials should follow OCR’s progress and consider commenting on draft regulations when they are available.
CEs and BAs are doubtless aware of a high-profile enforcement case OCR lost at the circuit court level early this year. The University of Texas MD Anderson Cancer Center has been fighting against penalties OCR sought to impose and that have now been voided. After a five-year investigation, OCR in 2017 attempted to fine MD Anderson $4.348 million for three breaches and alleged encryption failures that occurred in 2012. MD Anderson opposed the finding, appealing it to both an administrative law judge and later to an ALJ review panel—actions no organization had previously taken against OCR.
On Jan. 14, Fifth Circuit Court Judge Andrew S. Oldham, writing for a three-judge panel, harshly criticized OCR’s actions and those of the HHS attorneys. The ruling noted MD Anderson had shown in other cases OCR exercised unequal enforcement over encryption of electronic protected health information.