OCR Budget Proposal Seeks More Money for Enforcement and Fines

A 64% increase in staffing. Which staff? Investigators. What will these investigators do? Tackle OCR’s several-year backlog of complaints, including HIPAA complaints. More investigations = more money in OCR’s pocket. The OCR budget proposal, and several other wish list items, are discussed below.

OCR Budget Proposal: More, Please

By law, the President must submit an annual budget proposal to Congress. Each proposal reflects an administration’s priorities. The OCR request for a 55% bump reflects the Biden administration’s desire to restore OCR’s caseload to a more manageable level – so OCR can effectively enforce HIPAA by penalizing bad behavior

Since HIPAA was implemented, complaints to OCR have gone up – way up. In 2003, OCR received 1,948 cases. That number skyrocketed to 45,000 cases in 2021. At the same time, OCR has lost roughly a third of its investigators in the same time frame. In 2003, OCR had 121 investigators on staff. It now has 77.

OCR Budget Proposal: Can’t Keep Up

Without additional funds, OCR claims, it cannot hire the staff it needs to respond to complaints timely. OCR claims that more regional investigators (it wants an extra $8 million) are needed to address existing complaint backloads and keep up with incoming complaints.  

The 37 additional investigators and supervisory investigators OCR hopes to hire for 2023 would be used to work on complaints, data breach cases, compliance reviews, and other enforcement actions. OCR believes that the sooner it can hire more investigators, the better. 

The number of cybersecurity cases is on the rise and is expected to increase further – the number of breaches of unsecured PHI is growing as each year passes. This is particularly the case with breaches affecting over 500 individuals. Reports of such breaches increased by 30 percent between 2019 and 2020. The number of reports went up again in 2021. OCR automatically opens investigations into such breaches. Many of these investigations remain open for years; when 77 investigators are assigned to investigate hundreds of cases a year, enforcement activity can slow to a halt. 

With additional staff, OCR “estimates it will result in the backlog being eliminated by FY 2026.”

OCR Budget Proposal: Injunction Junction

OCR doesn’t just want more money. It wants more power. In its budget proposal, it has requested authority to pursue injunctions against HIPAA violators in federal court. An injunction is an order requiring a person or entity to stop certain conduct – in this case, to stop engaging in practices that violate HIPAA. 

Entities that do not comply with the terms of injunctions face additional penalties. In the context of a lawsuit, this can mean being held in contempt of court or payment of money damages to the person harmed by the conduct the injunction prohibits. If given the authority to file for an injunction in federal court, OCR could file a lawsuit in federal court, get the injunction – and then get money for its being disobeyed.

Injunctive relief would be a new tool in the OCR arsenal. Currently, state attorneys general can seek injunctive relief under the HITECH Act. This relief comes in the form of a corrective action plan (CAP). A CAP, though, can be imposed with respect to past conduct. Through a CAP, OCR can require that current practices be stopped, or new, HIPAA-compliant practices be started. However, some entities, recognizing the administrative burden complying with a CAP would impose, have chosen to accept a higher fine instead of a lower fine accompanied by a CAP.

If OCR does not bring a CAP, a repeat offender may only subsequently be penalized by OCR’s bringing a new enforcement action for the new violation. An entity with a deep pocket could theoretically choose to accept fine, after fine, after fine, without ever being ordered to prevent future misconduct.  

With injunctive relief, OCR could require that an entity take or not take an action in the future to prevent a future violation. An order of injunctive relief compelling a provider to comply with the right of access would not contain a one- or two-year expiration date, like a CAP does. This means OCR would not have to bring a new case each time a provider violates HIPAA – the bad activity would be prospectively prohibited by the one injunction. 

OCR Budget Proposal: One More Thing

And, to round out the bases, OCR is also requesting that the amount of annual penalties (minimums and maximums) it can impose for HIPAA violations be increased. In 2019, a federal appeals court told OCR that it was not properly calculating minimum and maximum fines. 

Fines are grouped into tiers, based on the level of an entity’s culpability (i.e., negligence, willful misconduct). Instead of litigating the point, OCR decided to lower the annual penalty caps. OCR now believes that the lowered penalty amounts do not deter violations.