HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR to Receive $4 Million Budget Increase to Support Audit Program

The Department of Health and Human Services’ Office for Civil Rights is to receive a budget increase of $4 million in 2017 to support its proposed HIPAA compliance audit program, bringing the department’s annual funding up to $43 million.

HIPAA Compliance Audit Program to Receive a Funding Boost


The second phase of compliance audits are penciled in to start “in early 2016,” although the start date has yet to be announced. OCR was mandated to conduct HIPAA compliance audits in the Health Information Technology for Economic and Clinical Health Act (HITECH), and while the pilot phase of audits took place in 2011/2012, the second phase has suffered delay after delay. Those delays have been attributed to a lack of funding. The additional $4 million is therefore much needed, especially after the budget freeze in 2016.

The purpose of the audits is in part to ensure that covered entities (healthcare providers, healthcare clearinghouses, health insurers, and business associates of covered entities) are complying with HIPAA regulations. The audits will also give OCR insight into the aspects of HIPAA that are causing problems for covered entities. The information gained during the audits will help direct future enforcement activities, develop future guidance, and provide better technical assistance to covered entities.

The second phase of audits are to be conducted by FCiFederal, and were expected to consist of desk-based compliance reviews of the Privacy Rule, Security Rule, or Breach Notification Rule, with each of the three aspects of HIPAA to be assessed by a separate audit module. Covered entities could therefore be expected to be audited on one, two or all three aspects of HIPAA.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

200 audits are now expected to be conducted during the next round of audits, with 150 to be conducted on healthcare providers and health insurers and 50 on business associates. Those audits are now expected to be split evenly on Privacy Rule and Breach Notification Rule Standards.

The second round of compliance audits should be followed with the implementation of a permanent audit program to continually assess the compliance efforts of covered entities.

OCR Increases Enforcement Activities


In recent months OCR has stepped up its HIPAA enforcement activities. Late last year, OCR announced three new settlement agreements with covered entities that were discovered to have breached HIPAA rules. In each case the HIPAA violations were uncovered following an investigation into reported data breaches. Last year, six settlements were reached with HIPAA covered entities bringing in an additional $6.175 million.

OCR retains and expends the funds from its enforcement activities which are used to support further enforcement actions.

This year, the financial penalties have continued. OCR recently announced Lincare Inc., had been ordered to pay a civil monetary penalty of $239,800 for failing to comply with the HIPAA Privacy Rule.

How Will OCR be Spending its 2017 Funding?


The budget increase will help OCR “modernize HIPAA protections, support innovation in healthcare, ensure adequate protections in new programs and technologies, streamline requirements to make them less burdensome, and evaluate new areas where HIPAA does not currently apply”

Not all of the budget increase will be used for matters relating to HIPAA. OCR will be using part of the budget increase to enhance enforcement activities relating to Section 1557 of the Affordable Care Act.

With only $4 million extra allocated for 2017, OCR will need to spend every penny of that budget increase wisely if all of the department’s objectives are to be achieved.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.