On March 19, 2021, Xavier Becerra was confirmed as the secretary of the U.S. Department of Health and Human Services (HHS). HHS is the federal regulatory body that oversees the Office for Civil Rights (OCR), which is the primary federal enforcer of the Health Insurance Portability and Accountability Act (HIPAA).
The secretary oversees 11 operating divisions and 15 offices (including OCR), and as a result, he is not solely focused on HIPAA and privacy issues. However, if Becerra maintains his California state of mind, we can reasonably anticipate that privacy reform will be a high-ranking item on his federal agenda.
During his tenure as the California attorney general, the highly debated, first-of-its-kind privacy law called the California Consumer Privacy Act (CCPA) was enacted and amended. The years-long comment process included significant refinements related to the interaction between the CCPA and HIPAA.
Even before the CCPA, California had been known as a pioneer of consumer privacy laws and regulations. For instance, California was the first state to enact a data breach notification law, in 2003. California also has a breach notification law for specific types of healthcare and healthcare-adjacent entities, which requires that notice be given to individuals and regulators within 15 days of the entity’s discovery of a potential security incident. Additionally, California has a number of other unique consumer privacy laws, such as the Song-Beverly Act, which prohibits the collection of ZIP codes with an in-person credit card purchase, creating a spike in class action litigation in the early 2000s.
Notably, the public comment period for the proposed HIPAA Privacy Rule changes, announced in December 2020, was set to expire on March 22 (the next business day after Becerra was confirmed). On March 9, 2021, OCR announced an extension of the comment period to May 6, 2021, perhaps providing time for the secretary to become more involved with OCR’s response to comments on and amendments to the proposed language.