With President-Elect Donald Trump’s unlikely victory in Tuesday’s election, we begin to look ahead at what the Trump Administration will mean from a medical privacy perspective. Neither the media, nor Trump himself, made privacy, much less medical privacy, an issue during the 2016 campaign season. Accordingly, privacy and related issues were not a major part of his campaign platform, and were far from center stage during this election cycle. Part of the reason that privacy took a backseat may have more to do with the fact that it largely has been a bipartisan issue that does not sharply divide the electorate like taxes, immigration, or a wall around our boarder. Free trade agreements were, in fact, one of those unifying topics for the past several decades – not now!
Trump has made quite clear that “Obamacare” (the Affordable Care Act (ACA)) is a high-priority chopping-block item, he otherwise has not provided much of a glimpse into his views on healthcare and medical privacy. In fact, his Healthcare Reform position paper does not mention medical information, privacy, security, or data breach. His focus is to repeal ACA, which will require a significant legislative focus.
He has, however, made his overall approach to federal governance very clear. Measure number three (of six) in Donald Trump’s Contract with the American Voter “to clean up the corruption and special interest collusion in Washington, DC” pledges that “for every new federal regulation, two existing federal regulations must be eliminated.” Now, it is unclear to these bloggers what the President-Elect’s definition of a “regulation” is. It could, we suppose, be viewed as a single section of the Code of Federal Regulations. It could be multiple sections combined to form essentially a single requirement. For instance, the requirement that Covered Entities and Business Associates execute a Business Associate Agreement is one requirement, but is codified in more than one section of the Code – i.e., 45 C.F.R. §§ 164.314 and 164.504. Would removing one section count as one regulation? Would taking the other one out as well satisfy the Trump Contract’s pledge to remove two? Taking this uncertainty a step farther, one “regulation” could be seen as the entire Privacy Rule, the entire Security Rule, or the entire Breach Notification Rule. Anyway, a technicality juicy for robust debate.
HIPAA, as we know it today, is stronger than it has ever been. That is, HHS’s Office for Civil Rights’ (OCR) 2013 omnibus final rulemaking strengthened essentially all aspects of the federal rules following the statutory mandate imposed by Congress in the “HITECH Act” (which was part of the Stimulus Legislation signed into law by President Obama in February of 2009 in response to the Great Recession). Medical privacy became more important than ever and one could very credibly contend that medical privacy currently is as “regulated” as it has ever been. Trump plainly seeks to slash regulations but it frankly remains to be seen whether he views the HIPAA rules as too restrictive. Interestingly, during the campaign, Trump released his medical records very quickly and very willingly. His tax records, as we all know, were another story.
But some aspects of OCR’s 2013 omnibus final rule could arouse interest in an Administration walking around with regulatory shears. The rule in place today imposes limitations that, immediately upon issuance, many viewed as unconstitutional restrictions on the First Amendment’s guarantee of free speech. Indeed, HHS was sued over its original 2013 rule before it scaled its “marketing” restrictions back in an expansive Guidance later that year. We have written, talked, and blogged about these issues since the 2013 rulemaking landed. Despite the Guidance, which significantly expanded patients’ ability to receive communications about their doctor-prescribed therapies, the existing rule could still be somewhat ripe for pruning as it remains more restrictive than its predecessor – which allowed for a very broad range of “treatment” communications. Moreover, even though certain aspects of the rule are in line with the HITECH mandate, given that the Republicans now control both chambers of Congress in addition to the White House, aspects of the legislation itself could, in theory, also be in play.
Juxtaposed against the potential for scaling back certain aspects of HIPAA – i.e., privacy – is the prospect for actually strengthening another aspect – i.e., security; specifically, cybersecurity. Although outside of the context of medical record security, the President-Elect clearly is on record as intent on firming up the country’s cybersecurity. It does require a leap from cybersecurity for national defense to the same for medical privacy, but it is not a giant leap to see it as a possibility, particularly given the increased attention in the healthcare community to the importance of the NIST Cybersecurity Framework. As Trump stated, “to truly make America safe, we must make cybersecurity a major priority . . . for both government and the private sector.”
Much of this will be shaped, at least in part, by Trump’s choice to lead HHS. Names being bandied about include Florida Gov. Rick Scott, former House Speaker Newt Gingrich, and Ben Carson, former GOP presidential candidate. Carson would appear, at least for the moment, to be the front-runner. In fact, Trump has publicly called out Carson as a “brilliant” physician, specifically stating that “I hope that [Carson] will be very much involved in my Administration in the coming years.” Another name under consideration is rumored to be Trump transition team executive director, Rich Bagger, a pharma industry veteran who orchestrated Trump’s fund-raising meetings with health care executives.
As always, of course, we will be actively monitoring developments as this new Administration begins to take shape and the members of Trump’s Cabinet are named. Stay tuned.