The Impact on HHS of Trump’s Regulatory Reduction Order
Legal Experts Say Order Creates Uncertainty for New Regulations
Privacy and data security experts are sizing up how an executive order signed by President Trump that requires two regulations to be eliminated for every new regulation issued by an executive branch department or agency might affect the actions of the Department of Health and Human Services.
Some experts question whether the order will, in fact, create a disincentive to issue new regulations, such as HIPAA-related measures. But others say it could hamper efforts to carry out certain actions called for in the 21st Century Cures Act, signed into law late last year by President Obama in an effort to advance medical innovation.
Meanwhile, on Jan. 31, Trump postponed signing another executive order calling for a review of the nation’s cybersecurity capabilities and vulnerabilities (see Report: Trump to Call for Cybersecurity Review).
“Reducing Regulations and Controlling Regulatory Costs,” the executive order Trump signed on Jan. 30, says that for every one new regulation issued by an executive branch department or agency, “at least two prior regulations be identified for elimination, and that the cost of planned regulations be prudently managed and controlled through a budgeting process.”
The order notes cost as its main driver. “It is the policy of the executive branch to be prudent and financially responsible in the expenditure of funds, from both public and private sources. In addition to the management of the direct expenditure of taxpayer dollars through the budgeting process, it is essential to manage the costs associated with the governmental imposition of private expenditures required to comply with federal regulations.”
But the executive order could have the unintended impact of creating more bureaucratic red tape, warns privacy attorney David Holtzman, vice president of the security consulting firm CynergisTek.
“The executive order establishes new requirements that agencies must adhere to an annual cap for the estimated cost of new regulations and eliminate existing regulations to lower the cost of regulatory burden,” he notes. “When implemented, these provisions could result in a whole new bureaucracy to measure, balance and monitor regulatory costs across agency budgets. Left unaddressed is the impact on complex regulatory schemes that are shared across several or many executive agencies.”
For example, he notes: “The Common Rule regulates standards for research involving human subjects by 16 separate federal agencies. How will the cost of the regulatory burden be apportioned and which agency will be forced to pick up the tab?”
OCR, ONC Impact
Some legal experts say the impact the order will have on HHS and its units, including the Office for Civil Rights – which oversees HIPAA enforcement – and the Office of the National Coordinator for Health IT – which oversees health IT policies and standards, including those related to interoperable, secure health data exchange – is unclear.
“It’s almost impossible at this point to figure out any real world specific impact from this,” says privacy and security attorney Kirk Nahra of the law firm Wiley Rein. Among unanswered questions right now: “For OCR, is the whole [HIPAA] privacy rule one regulation? Would a change to the privacy rule even count as a ‘new regulation’?”
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says he doesn’t expect the Trump executive order will have a “big impact” on HIPAA.
“The only upcoming regulations that I am aware of are the accounting of disclosures amendments and regulations for distributing a portion of HIPAA settlements and penalties to harmed individuals,” he notes. “Neither of these regulations appeared on the immediate horizon, but this executive order makes them even less likely, as HHS will have to carefully prioritize any new rulemaking.”
But Holtzman of CynergisTek says the executive order could have a chilling effect on some other security-related regulations.
“In the near term, the executive order and earlier actions to review final rules that had not taken effect will have the effect of freezing the issuing of new regulatory initiatives, regulatory guidance and review of recently issued regulation,” Holtzman contends.
The 21st Century Cures Act contains a variety of health IT and information sharing provisions that might be impacted, Holtzman says.
“ONC is reported to have been set to issue proposed rule-making to implement several aspects of the 21st Century Cures Act to add usability and interoperability metrics sections related to the [HITECH Act] electronic health records certification program quality metrics and a regulation that would help select ONC’s certification bodies for EHRs,” Holtzman notes.
Nahra says that OCR was expected to issue “some guidance on various points [of the 21st Century Cures Act], but that should not be [affected by] this new executive order. “ONC is a little trickier, although the push there has been to cut back on some of the requirements [related to the HITECH Act meaningful use incentive program for EHRs] even independent of this new executive order.”
Another area that could be potentially impacted by the executive order relates to Trump’s promise to repeal the Affordable Care Act, also known as Obamacare.
The executive order “will be especially important in the context of the Affordable Care Act and it’s still being determined replacement – but on the whole, this seems like a broad, vague general political statement, with lots of room for future statements about math and lots of flexibility on how to do the math – rather than anything specific in a specific area,” Nahra says.
Regulations that touch on privacy and security from other agencies also could be affected by the executive order.
“The executive order on controlling regulatory action leaves a lot of issues open to decisions to be made by the Director of the Office of Management and Budget,” Holtzman notes.
“Beyond the headlines of ‘repealing two existing regulations for every new one’ are exceptions for rules implementing a mandate passed by Congress,” he says. “Left to be defined are important provisions like what is a ‘new rule’? Does it apply only to original rule-making proposals? Does it apply to revisions to established rules?”
The executive order does not apply to regulations and guidance of independent commissions and boards, including the Federal Trade Commission, the Federal Communications Commission or the Consumer Financial Protection Bureau, Holtzman says.
“I think agencies such as OCR, ONC, and FTC will be able to continue to provide sub-regulatory guidance, such as FAQs, and bring enforcement actions,” Greene adds. “The big question is whether the new administration has a position on current health information privacy and security regulation and enforcement, such as whether there is too much or too little enforcement, or whether restrictions on healthcare providers and plans should be loosened.”
Source: SANS ISC SecNewsFeed @ January 31, 2017 at 04:12PM