Compared to other agencies, the HHS Office for Civil Rights (OCR) is a little fish in the big federal pond, but it has an outsize effect on HIPAA covered entities (CEs) and business associates (BAs). And, if Congress agrees, its impact would expand significantly in the coming months.
As part of its 2023 fiscal year (FY) budget, which would begin Oct. 1, OCR has requested a 55% increase in its overall funding, for a total of $60.2 million. It also would like to boost its total staffing by 91 new employees, an increase of 64%. While some of the funds would be devoted to enforcement of civil rights laws, much would support hiring additional investigators and tackling OCR’s backlog of complaints, including those alleging HIPAA violations.
But on top of requesting more money, OCR wants more muscle: Its budget proposal also seeks the authority to pursue injunctions against CEs and BAs, and—although the exact amount is unstated—the agency plans to work with Congress to increase the annual penalties it can impose for infractions of the privacy, security and breach notification rules. As part of a suit that HHS ultimately lost against the University of Texas MD Anderson Cancer Center, OCR in 2019 dropped the annual penalty caps to a level it now believes is ineffective in preventing violations.
Aside from dollar and staffing information, OCR rolled its other requests into a single paragraph that is referred to in budget documents as a “legislative proposal.”
“OCR is proposing an increase in the amount of civil money penalties that can be imposed in a calendar year for HIPAA noncompliance and [seeks authorization] to work with the U.S. Department of Justice to seek injunctive relief in federal court for HIPAA violations,” the documents state. “Authorizing higher annual caps would increase OCR’s ability to vigorously enforce the HIPAA Rules, create a greater incentive to comply with the health information privacy laws, and effectuate greater industry compliance. In OCR’s experience, the current limits on civil money penalties do not create a sufficient deterrent to industry noncompliance.”
OCR did not respond to RPP’s request for more details, including specifics about requested penalty increases.
Like most other federal agencies that rely on congressional appropriations, OCR’s funding in the past two decades has come through partial-year continuing resolutions, widely believed to be a broken process that typically doesn’t allow for big increases or many new initiatives. But the White House’s system for proposing a budget has remained unchanged. The president issues a budget request for each department and wish-list items—i.e., legislative proposals—that, in general, Congress would have to codify into law for them to become a reality.