Breach Notification , HIPAA/HITECH , Security Operations
HHS OCR Asks Congress for Big Funding Boost
HIPAA Civil Penalty Settlements Can't Fund a Skyrocketing Caseload, HHS SaysThe federal office charged with enforcing privacy and security within the healthcare industry would receive a substantial funding increase under the Biden administration budget proposal for the coming fiscal year.
See Also: 57 Tips to Secure Your Organization
The proposal asks for $78 million in appropriations for the Office of Civil Rights within the Department of Health and Human Services - an amount that would nearly double the office's current annual appropriation of $40 million.
OCR would use the additional money to more than double its workforce of approximately 130 full-time civil servants. The office's case workload has skyrocketed since 2020 while the amount of civil penalty collections it uses to supplement its operations has fallen significantly.
The fiscal 2024 budget request reflects "years of flat budget authority, declining civil monetary collections, and increasing workloads," HHS writes. “Civil monetary settlement funding is no longer a viable solution" for the agency's budget needs.
The understaffing of OCR has also resulted in HIPAA-covered entities and business associates regularly waiting years for complaint investigations and compliance reviews, including breach investigations, to be concluded, said privacy attorney Iliana Peters of the law firm Polsinelli.
Several factors appear to be playing into the decrease in collections (see: Why Are HIPAA Fines Down 93% - With Data Breaches Soaring?).
They include the impact of a ruling in January 2021 by a federal appeals court that struck down a $4.3 million fine imposed by OCR in a breach case involving the University of Texas MD Anderson Cancer Center.
The court in its ruling said it found the penalty "arbitrary, capricious and contrary to law," calling into question the processes and analysis OCR uses in its enforcement decisions.
Also contributing to the decline in HIPAA settlement collections has been OCR's selection of enforcement cases to pursue in recent years, says privacy attorney David Holtzman of consulting firm HITprivacy.
"OCR has chosen to use its small and overworked investigative staff investigating complaints involving violations of the Privacy Rule's patient right of access," he said.
These enforcement actions have typically involved small healthcare providers.
"Compared to complex investigations of the hundreds of large breaches by healthcare organizations that affect millions of patients and result in multimillion-dollar settlements, the right of access cases result in relatively tiny amounts of funds collected through enforcement penalties," said Holtzman, a former senior adviser at HHS OCR.
The budget request also includes resources to support the implementation of a HITECH Act provision calling for the sharing of HIPAA settlements and civil monetary penalties with harmed individuals, HHS says.
OCR last year issued a request for information about how it might divvy up settlement and civil penalty money collected from HIPAA enforcement actions with individual breach victims, but the agency has yet to issue a proposed rule (see: HHS Seeks Input on Critical HIPAA Enforcement Considerations).
HHS writes that as part of OCR's 2024 legislative proposals, the agency is also looking to "enhance HIPAA protections" by seeking to increase the amount of civil money penalties that can be imposed in a calendar year for HIPAA noncompliance and authorize OCR to work with the Department of Justice to seek injunctive relief in federal court for HIPAA violations.
"Authorizing higher annual caps will strengthen OCR's enforcement of the HIPAA Rules. Authorizing OCR to seek injunctive relief will improve OCR's ability to prevent additional or future harm to individuals resulting from entities' noncompliance with the HIPAA Rules in the most egregious and urgent cases," HHS writes.
'A Snowball's Chance'
OCR’s budget request also includes $6 million to implement newer duties, including civil enforcement of confidentiality of substance use disorder patient records protections, as called for under the CARES Act.
This includes setting up a process for reporting breaches of unsecured records to HHS. OCR will create "a separate portal to receive the complaints; hire new investigators; and hire supervisory and program support staff to develop policy, guidance, and training," HHS writes. "OCR anticipates a substantial number of complaints consistent with HIPAA enforcement."
"OCR's chances that Congress will increase its appropriation in the FY 2023-24 budget are not good," Holtzman warns.
"The agency could not squeeze more money to fund its operations when Democrats controlled both houses of Congress. With Republicans controlling the House of Representatives on the hunt to curb government's 'woke' activities, OCR stands a snowball's chance in hell of seeing additional funding."