Surprisingly amidst the Federal Bureau of Investigation (FBI) uproar, President Trump today signed an executive order addressing cybersecurity for the federal government and critical infrastructure, along with international coordination and cyber deterrence. The substance of the order, which is about to be made public, comes from various press releases and interviews with administration officials. The order is composed of three sections on cybersecurity and IT modernization within the federal government, protecting critical infrastructure, and establishing a cyber deterrence policy and coordinating internationally on cyber issues. In directing cabinet agencies to protect critical infrastructure, the order references the Obama administration’s “section 9” list of most critical entities, which already has prompted questions from industry.  Specifically, the order directs the Commerce Department and the Department of Homeland Security to coordinate an effort to reduce botnet cyber-attacks through a voluntary partnership with industry. This effort mirrors health industry association comments to Commerce’s National Institute of Standards and Technology (NIST), which next week will have an open forum to address the many comments made to its  rulemaking proposals. Interestingly, the Order directs the cabinet agencies to coordinate their own efforts with NIST.  The White House staff has been quoted as saying that “it is about time” the federal government was held to the same standard as private industry in addressing cybersecurity. Consistent with Industry requests, the framework is a voluntary tool actually developed in collaboration with industry, which argues that flexibility is required because policies must be adapted to the needs of different entities.

On the health care cyber front, it is interesting to note that James Comey’s last formal speech was given on May 8th to the American Hospital Association in which he raised concerns about the ability of the FBI to combat cyber-attacks and urged cooperation with hospitals and health systems not to get patient records but “fingerprints of digital intrusion.” I note that this is the point of the work of InfraGard, a cooperative effort between industry and the FBI, and is consistent with the public proposals of the Information Sharing and Analysis Organization Standards Organization (ISAO-SO), established by executive order.  Further information regarding those efforts, in which this author is active, can be provided at sgerson@ebglaw.com.

Comey’s abrupt departure suggests that his statements may quickly become passing memories, but the cooperative tone struck is more than a little inconsistent with proposals, for example, from the Department of Health & Human Services’ Office of Civil Rights (OCR), the enforcement agency for Health Insurance Portability and Accountability Act (HIPAA) matters, and from the Federal Trade Commission (FTC), which soon may inherit enhanced powers as the Federa l Communications Commission is attempting to leave the cyber security enforcement field.  Both the Office of Human Rights and the FTC stress enforcement as the optimal mode of gaining cyber compliance.

In the coming days, you may expect further analysis by Epstein Becker Green of OCR’s developing enforcement stance and other emergent government policies in the wake of the new Executive Order.

Executive Order Delay Trumps Administration Policy Development

President Trump’s first hundred days did not produce the event that most people in the cybersecurity community expected – a Presidential Executive Order supplanting or supplementing the Obama administration’s cyber policy – but that doesn’t mean that this period has been uneventful, particularly for those in the health care space.

The events of the period have cautioned us not to look for an imminent Executive Order. While White House cybersecurity coordinator Robert Joyce recently stated that a forthcoming executive order will reflect the Trump administration’s focus on improving the security of federal networks, protecting critical infrastructure, and establishing a global cyber strategy based on international law and deterrence, other policy demands have intruded. Indeed as the 100-day mark approached, President Trump announced that he has charged his son-in-law, Jared Kushner, with developing a strategy for “innovation” and modernizing the government’s information technology networks. This is further complicating an already arduous process for drafting the long-awaited executive order on cybersecurity, sources and administration officials say.

The Importance of NIST Has Been Manifested Throughout the Hundred Days

The expected cyber order likely will direct federal agencies to assess risks to the government and critical infrastructure by using the framework of cybersecurity standards issued by the National Institute of Standards and Technology, a component of the Department of Commerce.

The NIST framework, which was developed with heavy industry input and released in 2014, was intended as a voluntary process for organizations to manage cybersecurity risks. It is not unlikely that regulatory agencies, including the Office of Civil Rights of the Department of Health and Human Services, the enforcement agency for HIPAA, will mandate the NIST framework, either overtly or by implication, as a compliance hallmark and possible defense against sanctions.

NIST has posted online the extensive public comments on its proposed update to the federal framework of cybersecurity standards that includes new provisions on metrics and supply chain risk management. The comments are part of an ongoing effort to further revise the cybersecurity framework. NIST will host a public workshop on May 16-17, 2017

Health Industry Groups Are Urging NIST to Set up a ‘Common’ Framework for Cybersecurity Compliance

Various health care industry organizations including the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security have asked NIST to help the industry develop a “common” approach for determining compliance with numerous requirements for protecting patient data. Looking for a common security standard for compliance purposes, commenters also argue that the multiplicity of requirements for handling patient data is driving up healthcare costs. Thus, the groups urge NIST to work with the Department of Health and Human Services and the Food and Drug Administration “to push for a consistent standard” on cybersecurity. One expects this effort, given strong voice in the First Hundred Days, to succeed.

The Federal Trade Commission is Emerging as the Pre-eminent Enforcement Agency for Data Security and Privacy

With administration approval, the Federal Communications Commission is about to release today a regulatory proposal to reverse Obama-era rules for the internet that is intended to re-establish the Federal Trade Commission as the pre-eminent regulatory agency for consumer data security and privacy. In repealing the Obama’s “net neutrality” order, ending common carrier treatment for ISP and their concomitant consumer privacy and security rules adopted by the FCC, the result would be, according to FCC Chairman Pai, to “restore FTC to police privacy practices” on the internet in the same way that it did prior to 2015. Federal Trade Commission authority, especially with regard to health care, is not without question, especially considering that the FTC’s enforcement action against LabMD is still pending decision in the 9th Circuit. However, the FTC has settled an increasing number of the largest data breach cases The Federal Trade Commission’s acting bureau chief for consumer protection, Thomas Pahl, this week warned telecom companies against trying to take advantage of any perceived regulatory gap if Congress rolls back the Federal Communications Commission’s recently approved privacy and security rules for internet providers.

OCR Isn’t Abandoning the Field; Neither is DoJ

While there have been no signal actions during the First Hundred Days in either agency. The career leadership of both has signaled their intentions not to make any major changes in enforcement policy.  OCR is considering expanding its policies with respect to overseeing compliance programs and extending that oversight to the conduct off Boards of Directors.

The Supreme Court Reaches Nine

Many would argue that the most important, or at least most durable, accomplishment of the Trump Administration to date is the nomination and confirmation of Neil Gorsuch to the Supreme Court. Justice Gorsuch is a conservative in the Scalia mold and is expected to case a critical eye on agency regulatory actions. There is no cybersecurity matter currently on the Supreme Court’s docket, but there will be as the actions and regulations of agencies like the FTC, FCC and DHHS are challenged.

On his first day in office, President Trump issued an Executive Order entitled “Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal.” The Executive Order is, in effect, a policy statement by the new administration that it intends to repeal the Patient Protection and Affordable Care Act (the “ACA” or the “Act”) as promptly as possible. The Executive Order also directs the Secretary of Health and Human Services and the heads of all other executive departments and agencies that, pending repeal of the ACA, they are to exercise the full extent of their authority and discretion to “take all actions consistent with law to minimize the unwarranted economic and regulatory burdens of the Act, and prepare to afford the States more flexibility and control to create a more free and open healthcare market.”

Impact on the Individual Mandate

The Executive Order does not explicitly name provisions of the ACA to be targeted by executive agency and department heads. However, Section 2 appears to be aimed at the ACA’s “individual mandate,” which requires that individuals obtain health care insurance or pay a fine, and one potential effect of the Executive Order may be limited enforcement of the individual mandate:

To the maximum extent permitted by law, the Secretary of Health and Human Services (Secretary) and the heads of all other executive departments and agencies (agencies) with authorities and responsibilities under the Act shall exercise all authority and discretion available to them to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the Act that would impose a fiscal burden on any State or a cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications.

Impact on the Insurance Marketplace

The Executive Order also mandates that executive agency and department heads “provide greater flexibility to States and cooperate with them in implementing healthcare programs,” and “encourage the development of a free and open market in interstate commerce for the offering of healthcare services and health insurance, with the goal of achieving and preserving maximum options for patients and consumers.”

Regulatory Freeze

Also on January 20, 2017, the White House issued a memorandum to the heads of executive departments and agencies entitled “Regulatory Freeze Pending Review.” The memorandum directs that, except for certain emergency situations, no regulation be sent to the “Office of Federal Register (the “OFR”) until a department or agency head appointed or designated by the President after noon on January 20, 2017, reviews and approves the regulation.” “[W]ith respect to regulations that have been published in the OFR but have not yet taken effect,” the memorandum directs agency and department heads to postpone the effective date for 60 days from the date of the memorandum, as permitted by law and subject to exceptions for emergency situations. The memo also instructs executive agency and department heads to consider delaying effective dates beyond the 60-day period to address substantial questions of law or policy.

So, What Does This Mean…..From the Counselor to the President 

On Sunday, January 22, 2017, Kellyanne Conway, Counselor to the President, said that President Trump “wants to get rid of that Obamacare penalty almost immediately, because that is something that is really strangling a lot of Americans…”[1]

When asked if Trump would stop enforcing the individual mandate, she replied, “He may.” Conway also stated that the Trump Administration planned to end ACA’s requirement that employers with more than 50 full-time workers offer affordable coverage to their workers. “We’re doing away with this Obamacare penalty,” she said. “This tax has been… a burden on many small business owners…”[2]

Conway also noted that the Trump Administration does not intend to eliminate ACA entirely: “For the 20 million who rely upon the Affordable Care Act in some form, they will not be without coverage during his transition time.”[3] Conway noted that the President is “going to replace this with a plan that allows you to buy insurance across state lines, that is much more centered around the patient, and access to health care. . .”[4]

What’s Next And What To Watch?

Earlier today, Republican Senators Susan Collins of Maine and Bill Cassidy of Louisiana unveiled a bill intended to be an “Obamacare replacement plan,” “The Patient Freedom Act of 2017.” The Senators’ proposal, which is based upon a proposal originally put forward by the Senators in 2015, is intended to provide more power to the states on health care policy, to increase access to affordable insurance, and to help cover those who are currently uninsured.[5] For instance, states who like Obamacare will be able to keep it. Senator Cassidy explained as follows: “So, California and New York, you love Obamcare? You can keep it.”

In sum, uncertainty remains as to the extent that ACA will be changed, replaced, or otherwise amended, whether the changes will be administrative or legislative, and how much the changes to the Act will disrupt the health care marketplace. A flurry of further activity by the President, agency administrators, and members of Congress is expected over the coming days and weeks. Health care entities should closely follow these developments to ensure that they have sufficient time to react and adapt to the changing health care environment.

___

[1] ‘This Week’ Transcript 1-22-17: Kellyanne Conway, Sen. John McCain, and Sen. Chuck Schumer, http://abcnews.go.com/Politics/week-transcript-22-17-kellyanne-conway-sen-john/story?id=44954948 (last accessed Jan. 23, 2017).

[2] Trump’s ACA executive order heightens insurance market jitters, Modern Healthcare, Jan. 22, 2017, http://www.modernhealthcare.com/article/20170122/NEWS/170129985/breaking-trumps-aca-executive-order-heightens-insurance-market (last accessed Jan. 23, 2017).

[3] Emily Schultheis, Top Trump Aide: 20M on Obamacare “Will Not Be Without Coverage” in Transition to New Plan, http://www.cbsnews.com/news/top-trump-aide-20m-on-obamacare-will-not-be-without-coverage-in-transition-to-new-plan/ (last accessed Jan. 23, 2017).

[4] ‘This Week’ Transcript 1-22-17: Kellyanne Conway, Sen. John McCain, and Sen. Chuck Schumer, http://abcnews.go.com/Politics/week-transcript-22-17-kellyanne-conway-sen-john/story?id=44954948 (last accessed Jan. 23, 2017).

[5] https://www.collins.senate.gov/newsroom/senators-collins-cassidy-introduce-aca-replacement-plan-expand-choices-lower-health-care (last accessed Jan. 23, 2017).

by Joseph J. Kempf, Jr., and Jane L. Kuesel

On April 12, 2012, Governor Andrew Cuomo issued an Executive Order requiring the State of New York to establish an American Health Benefit Exchange and Small Business Health Options Program in New York (together, the “Health Benefit Exchange”). The Governor’s action was taken in response to the mandate contained in Section 1311 of the Patient Protection and Affordable Care Act, and the New York Legislature’s failure to enact legislation to begin development of the Health Benefit Exchange. Although the Health Benefit Exchange is tied to compliance with federal health care reform, it will have an impact on all health care plans offered in the individual and small group markets in New York.

Read the full alert here