2016 Budget Increases Funding for HIPAA Audit Program
The 2016 budget set by President Obama’s administration on Monday this week proposes a 4.8% increase in funding for the Department of Health and Human Services, while its Office for Civil Rights is to see a budget increase of 10% from the 2015 fiscal year; if congress approves the appropriation bills to provide the funding.
The OCR had a proposed budget increase for the 2015 fiscal year, although it did not receive that additional funding; instead it received a flat budget following the signing of the Consolidated and Further Continuing Appropriations Act, 2015 on December 16th, 2014.
The proposed 2016 budget raises funding for the Office for Civil Rights to $42.7 million – an increase of $3.9 million – which is intended to help it set up a permanent HIPAA audit program, and will allow the OCR to employ a further four permanent members of staff.
The HIPAA Compliance Audit program commenced in 2011 with a series of pilot audits which highlighted numerous failures by the healthcare industry to bring policies and procedures up to date with the HIPAA Omnibus Rule of 2013, but also revealed that 80% of audited healthcare providers had failed to conduct a full and thorough risk analysis, as demanded by the HIPAA Security Final Rule of 2003.
Leon Rodriguez, the former OCR Director, was keen to implement a permanent audit program to ensure continued compliance with HIPAA Privacy and Security Rules, yet the OCR’s audit program has stalled with it yet to complete its second round of compliance audits. The second round was originally scheduled to take place by the fall of 2014, with healthcare providers, clearing houses and health planned scheduled to be audited first, followed by Business Associates, which are now covered by HIPAA following the introduction of the Omnibus Rule.
However, those audits were delayed last year in order to allow the OCR to implement a new web portal to facilitate the collection of audit documents. The automation of data collection is a necessity due to the huge administrative burden it places on the OCR. The system is now being tested, although the OCR has yet to finalize its second round audits. Last month Samuels said that they would begin expeditiously, although the timeline for the audits was not announced.
In a letter accompanying the proposed HHS budget changes, Samuels said “The two primary objectives of this program are to further promote voluntary compliance and to utilize audit data to better target our existing technical assistance efforts.” She went on to say that “The audit program will add tremendous value to OCR’s compliance and enforcement mission by enabling OCR to proactively and systematically measure industry compliance with HIPAA.”
If the new budget is approved it will give the OCR much needed funding to start its permanent audit program, although in the meantime the OCR’s budget is tight. In the words of Samuels, “In the current constrained fiscal  environment, OCR continues to examine ways we can do more with our resources.”
The budget sees significant increases in spending to improve cybersecurity and will help Obama’s Administration develop a nationwide secure health data exchange as well as implement a number of security measures intended to reduce the risk of identity theft and medical fraud.
The Office of the National Coordinator for Health IT, which is tasked with developing the national exchange of health information, has been given a budget increase of 52% from last year. This increases its funding by an additional $30 million to $91.8 million and will allow the department to employ a further 15 members of full time staff. According to Karen DeSalvo, M.D., leader of the ONC, “The FY 2016 budget request reflects ONC’s commitment to developing a nationwide, interoperable learning health system that assures that data can be securely collected, used and shared by the right people at the right time to achieve better care and better health at a lower cost.”
The ONC has recently produced a 10-year plan for improving privacy and security, which includes $9.1 million for IT policy and governance and $4.8 million for new privacy and security safeguards. These include the development of methods of identity management, providing patients with additional controls over the disclosure of their Protected Health Information, issuing guidance to both consumers and stakeholders on HIT and setting adoption strategies for the nationwide health information exchange.
A further $50 million is being earmarked for new measures to protect senior citizens from identity theft, including the removal of social security numbers from Medicare cards, which was originally tabled in 2002 by both the HHS Office of the Inspector General and the Government Accountability Office. The HHS has also requested a further $73 million to manage its cybersecurity program; an increase of $28 million from last year.
Obama announced in his State of the Nation speech last month that he intends to increase funding for “treatments, diagnostics and prevention strategies tailored to the individual genetic characteristics of each patient, also known as precision medicine.” $215 million in additional funding has been proposed for this purpose.
The 2016 budget also calls for an additional $1 trillion in new tax measures and a 4.5% increase in military spending. The total budget of $3.99 trillion for the fiscal year commencing Oct. 1 sees an overall increase of 6.4% from the previous year, and is expected to reduce the budget deficit to $474 billion for the year, with revenue increased to $3.53 trillion. This would reduce the deficit to a level not seen since 2008.