The Department of Health and Human Services has asked for an additional $38 million in federal funding for the Office for Civil Rights (OCR), which would almost double the appropriations OCR currently receives. OCR is responsible for enforcing 55 privacy, security, civil rights, and religious freedoms statutes; however, their caseload has gone up while their budget remains stagnant and only increases in line with inflation. Consequently, their resources and staff have become highly strained due to the lack of budget increase.
The HHS Accused OCR in Taking Advantage of Restricted Resources
Before proposing its funding request, the Department of Health and Human Services (HHS) declared that it has reorganized OCR to enhance its productivity and take advantage of its restricted resources.
The restructuring should help OCR diminish the number of unresolved investigations, however, restructuring alone is not enough. “From 2017 to the present, OCR has observed a 28 percent increase in HIPAA complaints and a 100 percent rise in HIPAA major breach reports, even though OCR’s enforcement personnel have been reduced by 45 percent resulting from flat budgets and inflationary increases,” the HHS detailed in the report. OCR has also noticed a decrease in civil monetary collections since 2019, and its caseload in 2024 is anticipated to be twice as much as in 2018.
Despite a doubling of enforcement actions taken by OCR for HIPAA non-compliance in 2022 compared to 2018, the supplemental funds collected from those penalties were drastically lower. The overall penalty value in 2022 was 92.6% lower than in 2018, despite the number of penalties has increased by 100%. This decrease in penalty amounts is attributed to OCR’s re-examination of the HITECH Act. Initially, the HITECH Act had set out to increase civil monetary penalties for HIPAA violations, yet upon revisiting the text, the maximum penalty amount for three of the four penalty tiers was reduced.
OCR`S Penalty For HIPAA Violations
Since 2019, a majority of the civil monetary penalties and settlements have been for breaches of the HIPAA Right of Access. These resolutions and financial penalties typically involve HIPAA infractions connected to a single patient by smaller healthcare organizations. In total, the penalties to resolve these HIPAA violations add up to $2,440,150, varying from $3,500 to $240,000 with a mean payment of $56,748 and a median payment of $36,000. Investigations of these cases are simpler than those of cyberattacks, which are more complex and require more resources.
In 2021 and 2022, OCR was responsible for 36 civil monetary penalties and settlements, with only 5 of those related to HIPAA violations other than Right of Access failures. Due to a lack of resources, OCR is unable to investigate hacking incidents to determine potential HIPAA Security Rule violations, which usually carry hefty penalties.
A federal appeals court recently overturned one of OCR’s penalties, finding that their approach was illegal. Additionally, OCR will soon have to give a portion of the funds from their enforcement activities to individuals harmed by HIPAA violations. This will reduce their supplemental funds from this source and also take away from their budget. Civil monetary settlements are no longer enough to make up for the budget shortfall.
The Office for Civil Rights (OCR) proposed in its 2024 legislative report to raise the maximum penalties for HIPAA violations per year to secure more funding. In addition, the OCR was given the power to collaborate with the Department of Justice to strengthen its ability to enforce the HIPAA Rules, including getting injunctive relief and preventing further harm to individuals caused by HIPAA violations in the most egregious and urgent cases. However, due to budget constraints, the OCR may still have difficulty pursuing these cases.
The Final Stage of OCR HIPAA Infractions
The budget of $78 million is allocated to enable a system of distributing money from discipline actions to those who have been affected by HIPAA infractions, and $6 million has been set aside to finance enforcement activities mandated by the CARES Act. Additionally, the increased funding will help OCR to enhance its policy initiatives, teaching, and outreach efforts in areas such as race, color, national origin, disability, sex, age, and religion.
The HHS has requested more financial aid to assist with the higher caseload of the OCR, yet this is not the first attempt that has been made. Unfortunately, the former attempts have been unsuccessful, and there is not much to indicate that the current proposal will be any different.
Steve Alder, the editor-in-chief of HIPAA Journal, is responsible for the editorial policy of the topics discussed on the website. His expertise lies in the healthcare industry’s legal and regulatory affairs, with several years of writing about the topic.
His knowledge in the use of IT and HIPAA has been honed through his work of creating numerous articles about the topic.
The use of technology in the classroom has become increasingly prevalent in the modern era.
Nowadays, it is quite common to find digital equipment being utilized in educational settings to enhance the learning experience. This can range from computers to tablets or other interactive devices, all aimed at aiding students in their studies and providing a more efficient way of learning.