Does a repeal or reworking of the Affordable Care Act mean that we should expect less focus on HIPAA and cybersecurity? Almost certainly not. In fact, we may even see increased enforcement as opposed to less.
As to be expected with a changing administration, there’s much speculation on what the next four years will bring, particularly in regard to healthcare and the ACA. However, healthcare information management security leaders, like the HIMSS director of state and federal affairs, believe that regardless of what happens to the ACA, attention to health IT cyber security will increase, not decrease. Healthcare IT security is both vulnerable and vital, after an unprecedented spate of cyber attacks in 2016.
If we were to predict the future, we might say that instead of HIPAA Privacy and Security Rules taking a backseat, expect the framework to serve as a springboard for more regulation. Plus, any new health care direction, such as the much-vaunted value-based care delivery ruminations, will take time to percolate.
Accountability promises to be even more at the forefront. Ever since the final Omnibus Rule expanded privacy and information security compliance requirements to include business associates, scrutiny has deepened. health care systems, scrambling to recover from ransomware attacks and highly publicized third party security data breaches, increasingly place their vendor partners under the microscope, For the first time, in 2016, , OCR fined a business associate for not adequately protecting PHI (protected health information), calling attention to the need for BAs to buckle down, too. Going forward, vendors who handle PHI will be held accountable for their security flaws, emphasizing the need for all parties to implement a comprehensive risk and compliance program.
In the meantime, our new president has laid out his plan. During the campaign, his website detailed a comprehensive cybersecurity platform. From cyber-awareness training to task forces that coordinate how our nation responds to cyber-threats, expect the new administration to place concentrated attention on our information security.
Big change takes time. But neither extensive revisions nor a completely new Act will lessen the need for healthcare IT security. Rather, even more data being generated means an increased need for strong cybersecurity measures. Just look at the elements of the 21st Century Cures Act. Its underpinnings rely on extensive use of health IT. Can the mass amounts of health data its activities will create allow for any but the strongest information security?
No matter the effect of the new administration on the ACA, expect to see more headlines focused on health IT and cybersecurity, not less.