Report on Patient Privacy 22, no. 5 (May, 2022)
Compared to other agencies, the HHS Office for Civil Rights (OCR) is a little fish in the big federal pond, but it has an outsize effect on HIPAA covered entities (CEs) and business associates (BAs). And, if Congress agrees, its impact would expand significantly in the coming months.
As part of its 2023 fiscal year (FY) budget, which would begin Oct. 1, OCR has requested a 55% increase in its overall funding, for a total of $60.2 million.[1] It also would like to boost its total staffing by 91 new employees, an increase of 64%. While some of the funds would be devoted to enforcement of civil rights laws, much would support hiring additional investigators and tackling OCR’s backlog of complaints, including those alleging HIPAA violations.
But on top of requesting more money, OCR wants more muscle: Its budget proposal also seeks the authority to pursue injunctions against CEs and BAs, and—although the exact amount is unstated—the agency plans to work with Congress to increase the annual penalties it can impose for infractions of the privacy, security and breach notification rules. As part of a suit that HHS ultimately lost against the University of Texas MD Anderson Cancer Center, OCR in 2019 dropped the annual penalty caps to a level it now believes is ineffective in preventing violations.[2]
Aside from dollar and staffing information, OCR rolled its other requests into a single paragraph that is referred to in budget documents as a “legislative proposal.”
“OCR is proposing an increase in the amount of civil money penalties that can be imposed in a calendar year for HIPAA noncompliance and [seeks authorization] to work with the U.S. Department of Justice t ..
Support the originator by clicking the read the rest link below.
