Safe & Sound with Marianne Kolbasuk McGee

HIPAA/HITECH , Standards, Regulations & Compliance

Could Impact of Proposed Cuts to OCR's Budget Be Softened?

'Budget Justification' Document Describes a Way to Offset Some of Cuts
Could Impact of Proposed Cuts to OCR's Budget Be Softened?

While Congress will certainly make many changes in the Trump administration's fiscal 2018 federal budget, supplemental documents released by the Department of Health and Human Services to "justify" the proposals provide some interesting insights into the actual impact of proposed budget cuts.

See Also: Keeping Your Side of the Street Clean: 5 Cyber-Hygiene Facts You Wish You Knew Earlier

For instance, a budget justification document notes that while HHS is proposing to cut the Office for Civil Rights' budget by about 16 percent, some of the lost funding will be offset by OCR beginning to dip into the money the agency has collected from HIPAA settlements and civil monetary penalty cases.

"OCR will increase use of funds from monetary settlements collected via OCR's HIPAA enforcement activities to cover other items related to health information privacy enforcement activities." 

In the document, HHS acknowledges that a $6.1 million reduction proposed for OCR's budget in fiscal 2018, "would require decreases in authorized regional investigators, which could limit OCR's capacity to resolve complaints and perform other related agency functions such as investigations, compliance reviews, technical assistance, and outreach."

But to minimize the impact of the budget cut, "OCR will increase use of funds from monetary settlements collected via OCR's HIPAA enforcement activities to cover other items related to health information privacy enforcement activities," such as attorney services and overhead costs, the document notes. "The planned usage of at least $2.9 million of settlements leaves the overall total program reduction at approximately $3.3 million."

More Than HIPAA

It's important to remember that OCR doesn't just enforce HIPAA. As the agency's name implies, OCR also enforces a variety of health-related civil rights and non-discrimination regulations. So, OCR programs that have nothing to do with HIPAA could also potentially feel the sting of the proposed budget cut.

But considering that OCR collected more than $20 million in 2016 through 12 HIPAA settlements and one civil monetary penalty case - and is on a similar path so far in 2017 with a number of large settlements already - there could be plenty of additional funds to potentially tap for HIPAA enforcement activities, beyond the conservative $2.9 million that's noted in the budget justification document.

Keep in mind, however, that OCR is still on the hook to issue HITECH Act-mandated rules to distribute some of the funds it collects from HIPAA enforcement activities to those who have been harmed by breaches.

What's Next for Audits?

The document doesn't shed much light on the future of OCR's HIPAA compliance audit program, with no details about what might happen in the next phase.

The document doesn't indicate whether OCR will make good on its promise to conduct an unspecified number of more comprehensive onsite audits of covered entities and business associates in fiscal 2017 - which ends Sept. 30 - as part of its Phase 2 plans.

In phase two of the audits last year, OCR conducted remote "desk audits" of 209 covered entities and business associate to assess their compliance with various provisions of the HIPAA security, privacy and breach notification rules.

"Phase 2 will be used as a tool to evaluate industry compliance and help reveal best practices as well as patterns of noncompliance that should be the focus of more targeted guidance and outreach," the document notes.

As with the HIPAA audit pilot program that OCR conducted in 2011 and 2012, OCR will prepare "an overall evaluation of this second audit phase, in order to continue to build the more permanent audit program established under the HITECH Act," the document vaguely adds.

So do you think OCR will continue to announce an even larger number of HIPAA settlements in 2017 and beyond as warnings for healthcare organizations to improve their security habits - while also raising much-needed cash for the agencies activities? And what about the HIPAA compliance audit program? Will it continue on a small scale, if at all? Share your views in the comments section below.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.