The Department of Health and Human Services has requested an additional $78 million in federal funding for the Office for Civil Rights (OCR), almost doubling the appropriations OCR currently receives. OCR enforces 55 privacy, security, civil rights, and religious freedoms statutes and its caseload continues to increase, but its budget has remained flat for many years, only increasing in line with inflation. The years of flat budget have seen its resources and staff become increasingly strained.
Ahead of the funding request, the HHS announced that it has restructured OCR to improve efficiency and get more out of its limited resources. The restructuring will help OCR to reduce the current backlog of investigations, but restructuring alone is not enough. “Since FY 2017, OCR has received a 28 percent increase in HIPAA complaints, and a 100 percent increase in HIPAA large breach reports, while OCR’s enforcement staff decreased by 45 percent due to flat budgets and inflationary increases,” explained the HHS in the report. OCR has also seen declining civil monetary collections since 2019 and its caseload in 2024 is expected to be twice that of 2018.
OCR has increased the number of enforcement actions for non-compliance with the HIPAA Rules but despite twice as many penalties being paid in 2022 as in 2018, supplemental funds from its enforcement actions have fallen significantly. In 2022, OCR saw a 92.6% reduction in total penalties compared to 2018 despite a 100% increase in the number of penalties. The reduction in penalty amounts is due to a reexamination of the text of the HITECH Act. The HITECH Act called for an increase in civil monetary penalties for HIPAA violations, but after reexamining the text of HITECH, OCR determined the language had been misinterpreted and reduced the maximum penalty amounts in three of the four penalty tiers.
Since 2019, the majority of civil monetary penalties and settlements have been for violations of the HIPAA Right of Access. These settlements and civil monetary penalties typically resolve cases involving HIPAA violations related to a single patient by small healthcare providers. The penalties agreed to resolve these HIPAA violations total just $2,440,150, with the penalties imposed ranging from $3,500 to $240,000 with an average payment of $56,748 and a median payment of $36,000. These investigations are far less complicated than investigations of cyberattacks, which are much more in-depth and resource intensive.
In 2021 and 2022, there were 36 civil monetary penalties and settlements, with just 5 resolving HIPAA violations other than HIPAA Right of Access failures. Increasing investigations of hacking incidents to determine whether there have been HIPAA Security Rule violations – which often result in multi-million-dollar penalties – is simply not possible with the limited resources at OCR’s disposal. OCR has already had one such penalty overturned by a federal appeals court, which ruled that OCR’s approach was arbitrary, capricious, and contrary to law. Further, OCR will soon also have to share a percentage of the funds it receives from its enforcement activities with individuals who have been harmed by HIPAA violations. That will reduce the supplemental funds OCR receives, and implementing that HITECH Act provision will also take a chunk out of OCR’s budget. It is clear that civil monetary settlement funding is no longer sufficient to address OCR’s budget shortfall.
OCR explained in the report that its 2024 legislative proposals seek an increase in the maximum penalties it can impose for HIPAA violations per calendar year, which will help to increase funding. The proposals also authorize OCR to work with the Department of Justice to strengthen OCR’s enforcement of the HIPAA Rules by obtaining injunctive relief, requiring HIPAA-regulated entities to take steps to prevent additional or further harm to individuals resulting from non-compliance with the HIPAA Rules in the most egregious and urgent cases. Even with the increase in penalty amounts, OCR is still likely to struggle to pursue those cases with its budgetary restrictions.
The $78 million budget increase includes funding for implementing a methodology for sharing funds from enforcement actions with victims of HIPAA violations and $6 million in funding to support enforcement activities related to substance use disorder records, as mandated by the CARES Act. The increase will also help OCR to boost its policy, education, and outreach efforts in non-discrimination areas including race, color, national origin, disability, sex, age, and religion.
While the increase in funding is desperately needed, this is not the first time that the HHS has requested additional funding to support OCR’s increasing caseload. Previous attempts have failed and there is little to suggest this year’s proposal will fare any better.
The post HHS Requests Additional $78 Million in Funding for OCR in Fiscal Year 2024 appeared first on HIPAA Journal.