Year End Predictions: Any Privacy or Security Surprises?

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

As 2021 starts to quickly draw to a close, instead of focusing on what could happen in 2022, what could the remaining roughly month and a half of this year have in store? Any crystal ball will always admittedly be murky in most instances, but that is arguably where some of the fun can come in too.

Final HIPAA Regulation

A proposed rule to modify certain portions of the HIPAA Privacy Rule closed its comment period in the first half of 2021. The modifications focus on the patient right of access and care coordination issues. Arguably the proposed changes to the Privacy Rule encode pre-existing sub-regulatory guidance and common experiences, but would put firmer lines into place. The care coordination aspects sought to expand use of information for interconnected purposes in an individual’s life.

Leaving aside the specifics of proposed rule, speculation has grown as to when a final rule will be released. There is a fair bet, and the prediction here, that a final rule will be released in December. Optimistically, roughly six months should be sufficient to work through all of the comments and produce a final rule. That will result in some fun holiday reading and provide an opportunity to start the new year with renewed energy to build strong compliance with regulatory requirements. The long history of dropping regulations when everyone is gearing up for holidays provides the support for the expectation of the final regulation being released. Lets it clear off the desk of the agency and shift attention elsewhere.

Another Big HIPAA Settlement?

The transition to the new administration has so far resulted in a slowdown of HIPAA enforcement actions. There have not been any real headline-catching settlements or even targeted actions to highlight specific instances of non-compliance where more attention is desired. To some degree, the reduced number of settlements could reflect a change in priorities as the previous OCR administrator had come into the role with an announced intention of trying to bring in money through settlements. So far this year, there have only been a small handful of right of access related settlements.

Given the lull in settlement action, there is a reasonable expectation that one or two surprise settlements will come out before the end of the year. Given the ongoing attention to right of access, a more significant settlement could be expected. The settlement could focus on more systemic issues such as not providing access in the manner requested. Individuals have the ability to request access in their preferred form and format, but pushback is often given by organizations. Arguably a settlement on that front could help emphasize changes in the pending rule.

Another area warranting a settlement is the timeliness of data breach notification. Many notifications identify that an incident occurred months previously, in some cases more than six months prior, an investigation occurred, and then notification occurred some significant period of time following the completion of the investigation. While it can often be difficult to fully determine the scope of a breach, delaying notification seems to toy with the definition of discovery in the HIPAA Breach Notification Rule. A settlement focused on the timeliness of notification could provide a means of guiding organizations through the presentation of implicit expectations.

Info Blocking Rule Enforcement

Another area where enforcement has not yet occurred, is with the new information blocking regulation. The reason for lack of enforcement is a missing rule setting out how enforcement can actually occur. Without a rule establishing the mechanics for enforcement, the government’s hands are tied and there is an arguable lack of spur to organizations to fully embrace the requirements. There has been a bit of silence on the enforcement front, but with access an ongoing priority there is a need for clear enforcement guidelines. Given the lack of finalization, an unexpected announcement could come.

Another Merger or Acquisition?

Will another major merger or acquisition occur in the digital health space? There is still strong interest in creating vertical integration or acquisition of technology capabilities. While a specific target may be difficult to identify, a reasonable prediction is that Best Buy, Peloton, or another non-traditional healthcare entity could make a further splash by adding to healthcare-focused capabilities. The amount of investment money and interest flowing through the digital health realm is strong, so there will be a deal at some point. Given that year-end can create pressure to drive a headline, there is a deal out there waiting to happen or be announced.

Your Predictions?

Predictions are fun and even more so if one actually checks out. For readers, are there any more predictions out there that can be shared and added to the pool?

This article was originally published on The Pulse blog and is republished here with permission.