Heads Up! Massive Increase in Proposed FY2025 OCR Budget: Focus on HIPAA Enforcement and Risk Management

(This article was originally posted on June 2, 2024, on my Enabling Board Cyber Oversight? blog series at Heads Up! Massive Increase in Proposed FY2025 OCR Budget: Focus on HIPAA Enforcement and Risk Management)

Introduction

The proposed Fiscal Year 2025 (FY2025) budget for the Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services (HHS) includes significant provisions aimed at strengthening the enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and enhancing risk analysis and risk management processes across the healthcare ecosystem. The budget highlights a commitment to improving patient privacy and security in response to the increasing complexity and frequency of cyber threats in the healthcare industry.

Huge Increased Funding for HIPAA Enforcement

The FY2025 budget requests $57 million for OCR, an increase of $17 million or a whopping 42.5% from the FY2024 final budget. Additionally, OCR proposes to allocate $10 million in civil monetary settlement funds to support HIPAA enforcement activities. This increase in funding is crucial for addressing OCR’s rising caseload and expanding its capacity to enforce HIPAA regulations effectively.

Addressing the HIPAA Case Inventory Backlog

OCR has faced a significant increase in large breach reports, with a 101% rise from FY2018 to FY2022. In FY2022, these significant breaches affected over 55 million individuals; in FY2023, this number surged to over 134 million. The budget includes resources to address the growing backlog of HIPAA cases. As of FY2022, OCR had only 70 full-time investigators handling a backlog of over 8,000 cases, which is expected to grow. The budget proposes additional staffing to manage this backlog and ensure timely responses to complaints and breach reports.

Legislative Proposals to Enhance HIPAA Enforcement

The budget includes a legislative proposal to enhance HIPAA protections by increasing civil monetary penalty caps and authorizing injunctive relief. The proposal seeks to align penalty caps with industry trends, reflecting the increase in large breaches affecting millions of individuals each year. It also authorizes OCR to work with the U.S. Department of Justice to seek injunctive relief in federal court for HIPAA violations, thereby strengthening OCR’s ability to prevent harm from non-compliance.

Risk Analysis and Risk Management

Risk analysis and risk management are critical components of HIPAA compliance. According to Clearwater Security’s primary research ( Clearwater ), conducted since the first documented settlement agreement with Providence Health in 2008 and based on OCR enforcement actions since then, 90% of organizations involved in a data breach or attack on electronic protected health information (ePHI) fail to present an OCR-Quality? Risk Analysis to OCR. OCR’s enforcement efforts will ensure that covered entities, such as healthcare providers and insurance companies, conduct comprehensive, enterprisewide risk analyses and implement effective risk management strategies.

Education and Outreach

Education and outreach are crucial to driving compliance with HIPAA regulations. OCR plans to expand its educational efforts through conferences, workshops, webinars, and training sessions. OCR designs these activities to build stakeholder relationships, promote dialogue, and ultimately enhance compliance and oversight.

When – Watch this Space!

The approval process for the Fiscal Year 2025 (FY2025) budget for the Department of Health and Human Services (HHS), including the Office for Civil Rights (OCR), involves several key steps and spans multiple phases over an 18-24-month period. We’re coming down the homestretch. These steps for the FY2025 HHS/OCR budget will follow the typical federal budget process, with final approval expected by the end of September 2024, before the fiscal year begins on October 1, 2024.

Conclusion and Actions to Take Now

The FY2025 budget proposal for OCR underscores a robust commitment to enhancing HIPAA enforcement and improving enterprise cyber risk management (ECRM) in the healthcare industry. By increasing funding, addressing the case backlog, and proposing legislative changes, OCR aims to protect patient health information against an evolving landscape of cyber threats. These efforts will help build a more secure and trustworthy healthcare system for all Americans.

The FY2025 OCR budget proposal reflects a comprehensive approach to strengthening HIPAA enforcement and enhancing risk management practices, ensuring that patient privacy and security remain paramount in the face of growing cyber threats and privacy challenges.

The educational content and actions recommended in Stop the Cyber Bleeding are timeless. Since its publication in late 2020, the action case (to establish, implement, and mature an ECRM program) has only been reinforced by even more significant attacks on healthcare organizations, new laws or regulations, emerging threats or cybersecurity risks specific to the healthcare industry, continued explosive growth of healthcare data, systems, and devices, and heightened consumer attitudes towards data privacy and trust in healthcare organizations. Pick up a copy of Stop the Cyber Bleeding today.