More HIPAA Enforcement Funding Sought

Office for Civil Rights Requests 13.5% Higher Budget
More HIPAA Enforcement Funding Sought
The Department of Health and Human Services' Office for Civil Rights is seeking a 13.5 percent increase in its budget for fiscal 2012 to fund initiatives primarily designed to enforce HIPAA and HITECH Act provisions for privacy and security.

The office, headed by Georgina Verdugo, is seeking a $5.6 million increase in its budget, which would total $46.7 million in fiscal 2012. Whether the funding increase will survive Congressional efforts to trim the federal budget remains to be seen.

"It's a fairly small budget request, so from a political standpoint, I think it might fly under the radar and be passed," says Patti Dodgen, CEO at Hielix, a healthcare IT consulting firm. "Clearly, this funding is key to being able to provide enforcement efforts" as well as guidance on HIPAA and HITECH compliance, she adds.

Privacy and security specialist Rebecca Herold, owner of Rebecca Herold & Associates, also is optimistic that the funding will win Congressional approval. "Because of the fact that privacy breaches impact all levels of the population in all income brackets and all geographic locations, this would seem to be an area where Republicans and Democrats would want to show their support to their constituents. Ensuring safeguards are in place for all citizens' patient information is a different matter than the hotly debated healthcare reform."

Plus, she notes that fines generated from enforcement could easily offset the increased budget.

HIPAA cases

In recent weeks, OCR has signaled a ramping up of enforcement with high-profile HIPAA privacy rule cases against Cignet Health and Massachusetts General Hospital.

Susan McAndrew, OCR's deputy director for health information privacy, said in a recent interview, "It is clear that we will be vigorously enforcing these requirements, and, with the increased penalties that are available to use under the HITECH Act, covered entities need to pay attention and take whatever steps they can to prevent complaints in the first place by meeting their obligations to the fullest."

Herold contends that until this year, OCR's enforcement efforts have been inadequate. "But their most recent actions should be seen as foreshadowing much more enforcement activities to come," she says.

The OCR's 2012 budget request does not include funding for its HITECH Act-mandated HIPAA compliance audit program. The budget proposal notes that funding for that program will come from the economic stimulus package.

McAndrew recently said OCR hopes to launch at least one pilot of HIPAA auditing methods later this year, but she would not predict when the actual auditing program would begin.

HIPAA, HITECH Enforcement

The increased funding sought in the fiscal 2012 OCR budget request includes:
  • $2.3 million for 10 regional privacy advisers. The HITECH Act requires the creation of these positions "to offer guidance and education to covered entities, business associates and individuals on their rights and responsibilities related to federal privacy and security requirements for protected health information," the budget request notes.
  • $1 million to support enforcement of the HIPAA security rule. OCR also enforces the HIPAA privacy rule.
  • $1.3 million for investigation of healthcare information breaches. The budget request notes that OCR already investigates all breaches affecting 500 or more individuals that are reported as required under the HITECH Act breach notification rule. The additional money would enable it to investigate smaller reported breach incidents as well. "Based on OCR's current HIPAA case load, almost all breach reports that impact less than 500 individuals are not investigated," the budget request notes.
  • $1 million to create a "compliance review program designed to evaluate, educate and ensure compliance within a sample of the expanded covered programs and providers each year."

State HIPAA Enforcement

In a step that could pave the way for ramped up HIPAA enforcement at the state level, OCR will offer training this spring for state attorneys general on how to file a HIPAA federal civil lawsuit, McAndrew recently announced.

And McAndrew acknowledged that OCR is continuing to investigate all of the nearly 250 major health information breaches reported under the HITECH Act breach notification rule. "To the extent that there is a need to enter into a long-term resolution agreement and corrective action plan with the covered entity to properly remedy what happened, we will do so," she said. "But we're looking to covered entities for voluntary compliance."

Tom Walsh, president of Tom Walsh Consulting, says continued ramping up of enforcement means "healthcare information security professionals may finally start to get the resources that they need to improve their information security programs." He adds: "In healthcare, IT is overhead and information security is overhead within a department that is considered overhead. Statistics and surveys have indicated that spending for security is less in healthcare than other industries."

Walsh says he'd like to see at least a portion of any federal fines for non-compliance "go back into the covered entity's budget for information security and then be monitored by the OCR in follow-up audits. That would force allocation of resources to fix the problem."


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.