Government Shutdown: Impact on Health Data Security, PrivacyHIPAA Enforcement Agency Open, But Regulatory Activity Slows Down
Some regulatory activity related to health data privacy and security is on hold as a result of the partial government shutdown.
Most Department of Health and Human Services' agencies - including the Office for Civil Rights and the Office of the National Coordinator for Health IT - remain open because an appropriation to fund them was enacted last year. But some parts of the Food and Drug Administration and Indian Health Service, which were not funded, are shut down, government sources tell Information Media Security Group.
The headquarters of OCR, which enforces HIPAA, as well as its regional offices continue to operate, investigating cases and working on policy, notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who formerly worked at OCR.
"We are unlikely to see progress on privacy and security regulations until the partial shutdown is resolved."
—Adam Greene, Davis Wright Tremaine
But some regulatory work is held up because of a lack of funding for the Office of Management and Budget, which reviews most proposals. "We are unlikely to see progress on privacy and security regulations until the partial shutdown is resolved," Greene says.
OMB activity on hold includes a review of HHS's overdue proposed information blocking rule, which addresses inappropriate and intentional blocking of electronic health information exchange by organizations. Also on hold, an ONC official tells ISMG: ONC's proposed regulations to carry out the 21st Century Cures Act, which includes provisions for improving health information sharing, as well as ONC's Trusted Exchange Framework and Common Agreement, which also aims to help fulfill a call for increased secure, health data exchange.
In a statement posted on FDA's website about the impact of the shutdown, the agency notes that "mission critical surveillance for significant safety concerns with medical devices and other medical products will ... continue."
In addition, other mission critical, public health activities that will continue at FDA include: "maintaining core functions to handle and respond to emergencies - such as monitoring for and quickly responding to outbreaks related to foodborne illness and the flu, supporting high-risk food and medical product recalls when products endanger consumers and patients, pursuing civil investigations when FDA believes public health is imminently at risk and pursuing criminal investigations."
Because the Federal Register is affected by the partial shutdown, a Jan. 23 meeting of the Health IT Advisory Committee was cancelled because HHS was unable to formally announce it.
A Jan. 8 email from ONC to committee members obtained by ISMG noted: "The Federal Advisory Committee Act requires that a notice of a federal advisory committee meeting be published in the Federal Register at least 15 calendar days prior to the meeting. During the federal government funding lapse, the Federal Register is not being supported, and the HITAC 2019 meeting schedule could not be published in the Federal Register. Therefore, we must cancel the meeting."
Privacy attorney Kirk Nahra of the law firm Wiley Rein asserts that as a result of the partial government shutdown, "I expect that work on guidance, regulations, etc., has slowed down to almost nothing. I am concerned about cyber protections everywhere relevant in the government. Very little is being done that isn't immediately critical."
While OCR is open, "I expect that new investigations generally are not being opened, and existing investigations are not being moved forward," Nahra says. "Other projects are on hold. There's nothing good about it, in terms of privacy and security activities."
If that's true, it remains to be seen what impact relative inactivity might have on healthcare organizations' security and compliance efforts.
OCR did not immediately respond to ISMG's request for comment.
Privacy attorney David Holtzman, vice president of compliance at the security consulting firm Cynergistek, claims that even before the partial government shutdown, OCR seems to have scaled back some of its HIPAA enforcement activities.
"The number of cases in which OCR has levied fines/penalties through resolution agreements has dropped sharply during the Trump administration," he contends. "Also, outreach programs like the monthly cybersecurity newsletter have stopped."
OCR's last monthly cybersecurity newsletter was issued in October 2018.