Share this article on:
The Fiscal Year 2015 Budget in Brief has been prepared by the Obama administration and there is some bad news for the Department of Health and Human Services’ Office for Civil Rights. The Privacy and Security Budget for 2015 has been increased to $41 million for the coming year, but this only represents an increase of $2 million year on year.
The Office for Civil Rights has many roles: It is required to ensure equal, nondiscriminatory access to HHS services and to make sure they are received; it must ensure health information is properly protected; that patient privacy is protected; and it must also police HIPAA Rules and conduct compliance audits. Its budget is stretched and has to go a long way, and this year the OCR has a number of costly tasks ahead of it, in particular the upcoming second round of compliance audits. It is going to need every cent of that money.
The increase will be welcomed, even though it may not be enough. The money is intended to “support OCR’s centralized case management operations and online complaint system. Further, the budget supports continued HIPAA Security Rule enforcement as well as OCR’s expanded HIPAA responsibilities.”
However since the roles the OCR must perform are highly varied and often labor intensive, such a small budget increase may not be enough. Last year the agency had to deal with 9,500 complaints relating to violations of HIPAA, and the number of incidents is increasing fast. Compliance audits must be conducted, and when organizations are found to have breached regulations, individual action plans must be developed and financial penalties issued, the latter can take many months, if not years, to resolve.
The OCR can supplement its budget by retaining a portion of the fines it issues to organizations that do not comply with HIPAA regulations, and according to the budget summary, it was able to add $4 million to its operating budget in 2013. That figure is expected to rise to $5.5 million this year with increased enforcement actions anticipated.
There has been some criticism over how these funds are being allocated, as they are intended to be used to improve enforcement of HIPAA Rules. Few financial penalties are being issued and there does not appear to have been a great deal of progress made, and in helping organizations avoid data breaches and improve defenses. However, the department is strained and does not have sufficient numbers of staff to be able to police HIPAA as rigorously as many would like.
With the volume of work it has, without additional staff and a more significant investment in its budget, it will be difficult for the department to increase its efforts in policing HIPAA and start forcing healthcare providers and other covered entities to become HIPAA-compliant.