But What Will Funding Look Like Next Year?
Despite the White House’s request for deep budget cuts, Congress passed and President Trump signed into law last week flat funding for the current fiscal year for the two federal agencies responsible for health information privacy and security issues, including HIPAA enforcement.
But the Trump administration is proposing OCR and ONC budget cuts for fiscal 2019 similar to its proposed cuts for fiscal 2018 that were not enacted (see Trump FY2019 Budget Would Slash ONC, OCR Funding).
The $1.3 trillion fiscal 2018 omnibus budget signed into law on March 23 provides discretionary funds for the federal government through Sept. 30.
Under the bill, funding for the Department of Health and Human Services’ Office for Civil Rights – which enforces HIPAA – will remain flat at nearly $38.8 million. The Trump administration had earlier proposed cutting the budget about 16 percent to about $33 million (see Trump Proposed Hefty HHS Cuts For OCR, ONC).
Despite the lack of cuts for fiscal 2018, the agency is still struggling with too few resources, some security experts say.
“While OCR’s congressional appropriation has remained flat for several years, the reality is that annual increases [in inflation] have robbed the agency of real dollars to fulfill an ever expanding mission,” says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek. “Recent action to expand the scope of OCR’s responsibilities will force further division of an already shrinking budget pie,” says Holtzman, a former senior adviser at OCR.
Meanwhile, HHS’ Office of the National Coordinator for Health IT – which is overseeing efforts to promote nationwide secure, interoperable health information exchange – will also see its fiscal 2018 budget remain flat at $60 million, despite the White House proposing to cut ONC’s budget to $38 million.
Among ONC’s responsibilities is work related to health IT provisions of the 21st Century Cures Act which was signed into law in 2016. That work includes ONC’s effort to draft a final version of a trusted health information exchange framework.
ONC is evaluating public comments it received earlier this year on its draft proposal for a “trusted exchange framework and common agreement” and plans to issue a final version of the document by year-end, ONC officials say (see ONC Considering Tweaks to Trust Exchange Framework).
“No one should be surprised that Congress provided strong, bipartisan support for supporting standards for electronic health record technologies, as well as assuring the privacy and security of consumer medical information,” Holtzman says.
“It’s been less than two years since passage by Congress of 21st Century Cures Act setting out their priorities supporting of health IT and the important role of privacy and security. It was a tremendous miscalculation [by the White House] to assume that Congress would not support its legislatives priorities.”
Overall, the omnibus budget bill provides the Department of Health and Human Services a total budget authority for fiscal 2018 of $78 billion, an increase of $10 billion above the enacted fiscal 2017 level, according to a House appropriations budget document.
A big portion of that budget increase goes to the National Institutes of Health. The bill provides NIH a total of $37 billion, an increase of $3 billion above the fiscal year 2017 enacted level, to fund several critical research initiatives. That includes a funding boost of $60 million, to a total of $290 million, for the “All of Us” research initiative, formerly called the Precision Medicine Initiative, an effort signed into law under the Obama administration. Precision medicine, which is also sometimes referred to as “personalized medicine,” aims to take advantage of advances in medical research, taking into account an individual’s health history, genetics, environment and lifestyle, to better hone treatment.
Tim Noonan, OCR’s acting deputy director for health information privacy, says in a statement provided to Information Security Media Group: “OCR will continue to diligently administer the HIPAA privacy, security and breach notification rules in a way that best balances the important protections for individuals’ sensitive health information with the interests of the regulated community by providing guidance, audits, investigations, and public outreach. OCR investigations will continue to highlight egregious cases where there is a corporate culture of noncompliance and/or a disregard for the duty of care that is owed to individuals to safeguard their health information.”
Since April 2017, OCR has collected more than $11.6 million in civil monetary penalties and settlements, Noonan says. Under the HITECH Act, money collected by OCR through its settlements and penalties can be used to supplement its enforcement activities.
“OCR investigations will continue to highlight egregious cases where there is a corporate culture of noncompliance and/or a disregard for the duty of care that is owed to individuals to safeguard their health information.”
—Tim Noonan of OCR
Holtzman notes that OCR has used its authority granted under the HITECH Act to apply the funds collected through its enforcement action to hire contract personnel to work alongside its regular federal workforce.
OCR did not immediately respond to an ISMG request for comment on plans for using the funds collected from its fiscal 2017 enforcement settlements and penalties.
In his statement, Noonan says the agency is wrapping up work on its Phase 2 HIPAA compliance audits. Some 200 organizations were subjected to “desk audits” in 2016 and 2017.
“OCR has completed reviewing entity compliance with the HIPAA rules and plans to issue aggregate findings later this year,” he says. “We will also update our website with other helpful tools and technical assistance resulting from the audit findings. OCR will review the current audit model and assess potential changes for future implementation of periodic audits.”
At the recent HIMSS18 conference in Las Vegas, however, OCR Director Roger Severino told ISMG that “phase three is the compilation of findings,” when asked if OCR had plans for third phase of its audit program (see ‘No Slowdown’ For HIPAA Enforcement, But Audits Ending).
Noonan says that during phase 2 of the audit program, covered entities were audited for compliance with the HIPAA Security Rule’s risk analysis and risk management provisions, the HIPAA Breach Notification Rule’s content and timeliness of notification requirements and the HIPAA Privacy Rule’s requirements to provide individuals with a notice of privacy practices and access to their protected health information.
Business associates were audited for compliance with the HIPAA Security Rule’s risk analysis and risk management provisions as well as the HIPAA Breach Notification Rule’s requirement to notify covered entities of a breach.
“Some preliminary outcomes from the audits showed overall compliance with providing timely notice of breaches, and notices of privacy practices were published on entities’ web sites and contained the HIPAA-required elements, Noonan says.
“Identified areas for improvement include having enterprisewide risk analyses, policies and procedures for risk management and providing individuals with access to their protected health information.”