HIPAA and Compliance News

HHS Requests $78M in Funding For OCR in Next Fiscal Year

HHS requested a $38 million increase over last year’s budget for OCR in order to address its complaint inventory backlog and enhance education and outreach efforts.

HHS Requests $78M in Funding For OCR in Next Fiscal Year

Source: Getty Images

By Jill McKeon

- HHS requested $78 million in funding for its Office for Civil Rights (OCR) for FY 2024, signifying a $38 million increase from last year’s budget. The requested budget increase follows HHS’ recent announcement that it would restructure OCR, forming three new divisions aimed at managing its increased HIPAA and civil rights complaint volumes.

“OCR’s budget includes a robust investment in enforcement staff to address and resolve major case receipt increases that have led to a significant complaint inventory backlog, and additional resources to bolster its policy, education, and outreach efforts in all nondiscrimination areas including race, color, national origin, disability, sex, age, and religion,” the budget document stated.

Since FY 2016, OCR’s civil rights case receipts have increased by 252 percent, necessitating additional staff to handle the increased complaint volume and support OCR’s mission to break down discriminatory barriers, HHS explained.

In addition to an uptick in civil rights complaints, HHS has received a 28 percent uptick in complaints related to HIPAA security and privacy violations and a 100 percent increase in HIPAA large breach reports since FY 2017.

Meanwhile, OCR’s enforcement staff has decreased by 45 percent “due to flat budgets and inflationary increases,” HHS noted.

“OCR’s FY 2024 request will allow a robust investment in enforcement staff to address the existing backlog.”

OCR’s FY 2024 budget request also accounts for additional resources to support the implementation of the HITECH Act specifically regarding the sharing of civil monetary penalties and HIPAA settlements with harmed individuals.

“The request supports staff to manage the program, and contractors to establish processes and procedures to evaluate and issue shared settlement funds to harmed individuals,” HHS stated.

The budget also allocates $6 million to implementing civil enforcement of confidentiality protections for substance use disorder patient records 42 United States Code §290dd-2 (Part 2). HHS plans to use these funds to create a standalone portal to receive Part 2 complaints, hire additional investigators, and provide education and training materials to the public.

HHS also expressed its intention to increase civil monetary settlement collections via a proposal that seeks to increase the amount of civil money penalties related to HIPAA non-compliance that can be imposed in a calendar year.

“Authorizing higher annual caps will strengthen OCR’s enforcement of the HIPAA Rules. Authorizing OCR to seek injunctive relief will improve OCR’s ability to prevent additional or future harm to individuals resulting from entities’ non-compliance with the HIPAA Rules in the most egregious and urgent cases,” HHS reasoned.

Along with an increase in funds dedicated to OCR, HHS requested $515 million for the HHS Office of Inspector General (OIG), signifying a $37 million increase above FY 2023. Cybersecurity is a key focus area in the OIG budget request – the budget includes $20 million aimed at hiring cybersecurity professionals in an increasingly competitive cybersecurity job market.

“HHS and the healthcare industry face significant cybersecurity risks that OIG oversight and enforcement will help mitigate,” HHS noted.

HHS’ budget request for the Public Health and Social Services Emergency Fund, which supports the HHS Cybersecurity Program, also included key cybersecurity investments. With a requested increase of $88 million geared toward the Cybersecurity Program, HHS plans to invest in developing a robust zero trust architecture, modernizing security event logging, and implementing other technologies that will help the department enhance its security program.

Even though the HHS budget proposal places emphasis on improving cybersecurity and enforcing HIPAA, similar budget proposals have failed in the past.