More Funding for HIPAA Audits?Obama's Fiscal 2017 Budget Again Proposes Additional Support
The Obama administration's proposed fiscal 2017 budget for the Department of Health and Human Services yet again seeks additional funding for the long overdue HIPAA compliance audit program and a variety of other health data privacy and security efforts.
See Also: How Can Mobile Banking Apps Fight Back?
President Obama's proposed budget for fiscal 2017, which begins Oct. 1, includes $1.15 trillion for HHS, up about 3 percent from the budget authorized for fiscal 2016. The president's budget is a statement of the administration's spending priorities for the federal government. Ultimately, Congress must approve appropriation bills to fund the government. It's unlikely a GOP-controlled Congress will approve many of the Obama administration's proposed increases, especially in his final year in office.
In addition to more funding for HIPAA compliance audits, the HHS budget seeks to boost funding for the Office of the National Coordinator for Health IT to advance secure nationwide health information exchange and interoperable healthcare IT, making sure that, for example, electronic health records can easily exchange data.
OCR Proposed Funding
The proposed fiscal 2017 budget for HHS' Office for Civil Rights, which enforces HIPAA, calls for about a 10 percent increase to $43 million, up from $39 million that was approved for the office in both fiscal 2016 and 2015. OCR is looking to add 18 full-time equivalents to its current staff of 180.
OCR officials last fall said they planned to launch the next round of HIPAA compliance audits in 2016 (see New HIPAA Compliance Audit Details Revealed).
"OCR is committed to launching the second phase of its audit program in FY2016," an OCR spokesperson tells Information Security Media Group. "We will share more information on the details of our audit program as it becomes available."
In fiscal 2017, an HHS budget brief notes, "OCR plans to conduct comprehensive and desk audits of covered entities and business associates. Audits are a proactive approach to evaluating and ensuring HIPAA privacy and security compliance. The audit program will offer a new tool to help ensure HIPAA compliance by covered entities and business associates while also informing OCR on areas in which to direct its enforcement and technical assistance."
HHS also sought extra funding in fiscal 2016 for HIPAA compliance audits, but ultimately Congress did not approve any increase in its budget.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine is hopeful that OCR soon will offer more clarity about its audit plans for this year. "After much delay, I do expect to see the audits start up over the next few months. But we still have not seen an updated audit protocol, which OCR has indicated will precede the start of the next round of audits," he says.
Greene would like OCR to offer more clarity about which parts of the HIPAA rules are applicable to business associates, "as this would help make the audit protocol more useful to health IT start-ups and other business associates who are struggling to understand their obligations." In addition, the privacy attorney would like to see the updated audit protocol provide clarify OCR's expectations are for what small, midsize and large organizations need to do to comply to with HIPAA.
The proposed funding increase for OCR would also enable the office to "modernize HIPAA protections, support innovation in healthcare, ensure adequate protections in new programs and technologies, streamline requirements to make them less burdensome, and evaluate new areas where HIPAA does not currently apply," according to an HHS budget brief.
OCR did not immediately respond to an ISMG inquiry for details about OCR's HIPAA modernization plans. Some privacy and security experts, however, are anxiously awaiting more specifics.
"I don't think there is a great need to streamline HIPAA's requirements overall, but I do think it would be useful to provide better guidance and reduce the impact of the detail of the HIPAA Security Rule on business associates, particularly for entities who have a limited exposure to PHI," says privacy attorney Kirk Nahra of law firm Wiley Rein LLP.
"The question of modernization and innovation is also linked to what - to me - is the biggest policy issue in this area - what to do about all of the healthcare data that is being created, gathered and analyzed outside of the HIPAA context," he says. "OCR is looking at that, but they have a jurisdiction issue. ONC is looking a bit also, but they are in a bit of an odd place to do that analysis. The Federal Trade Commission may be a better overall place for that review, but this debate is growing and becoming more significant every day."
ONC Proposed Funding
The proposed fiscal 2017 HHS budget also seeks to boost funding for ONC by 36 percent to $82 million. ONC's budget was $60 million in both fiscal 2015 and 2016.
"The budget ... provides continued investments to achieve secure, seamless data interoperability in order to better serve caregivers, providers, payers, public health officials, scientists, and ultimately enhance health for all Americans," the HHS budget brief notes. "Specifically, the budget proposes an increase of $22 million and new authorities for ONC to strengthen patient safety and quality of care through the nationwide advancement of interoperability, reliability and usability of health information technology."
Mac McMillan, CEO of the security consulting firm CynergisTek, suggests that ONC should add more support for security education. "I'd like to see more focus on support for government/industry funding to support development/training of security professionals to fill the many gaps in experience we have in the industry," he says. "Second, I'd like [ONC] to keep their eye on interoperability as that is key to security."
ONC's proposed budget would also fund a number of other privacy and security efforts, including "a coordinated approach to explicitly prohibit [inappropriate] information blocking and investigate and impose appropriate sanctions for offenders," the HHS budget brief says.
Information blocking refers to intentional efforts by healthcare organizations, technology services providers and electronic health record vendors to impede the secure exchange of health data.
In addition, the budget brief notes that ONC has used its coordinating role to work with the FTC "on new resources for health IT developers on privacy and security best practices.
Also, through a task force on application programming interfaces, ONC is identifying privacy and security challenges presented by mobile and other emerging health information technology that need to be addressed so that individuals and providers feel confident adopting new technology, the brief states.
The ONC's budget focus on interoperability of health IT is critical, says the College of Healthcare Information Management Executives, an association of CIOs and CISOs. "On the ONC front, CHIME supports efforts to boost interoperability and accelerate the development and adoption of standards. The lack of interoperability remains one of the biggest barriers to having a truly connected delivery system."
Jeff Coughlin, senior director of federal and state affairs at the Healthcare Information and Management Systems Society, says that the proposed funding boost for ONC could help the office continue critical initiatives that were built over the last year or so, including its 10-year road map for interoperable, secure health data exchange.
"ONC produced so much work last year, and the proposed budget can help implement and continue all those programs," he says. "By and large, there is support from many different industry stakeholders for this budget."