Governance & Risk Management , Healthcare Information Exchange (HIE) , HIPAA/HITECH

Obama Budget: Health Data Security Impact

Will HIPAA Audits Finally Get More Funding?
Obama Budget: Health Data Security Impact

The Obama administration's proposed fiscal 2016 budget calls for increases in funding for the HIPAA compliance audit program as well as the development of nationwide secure health data exchange. It also would provide funds for the removal of Social Security numbers from Medicare cards in an effort to reduce ID theft.

See Also: OnDemand | Making the Connection Between Cybersecurity and Patient Care

Under Obama's plan, the Department of Health and Human Services budget would total nearly $1.09 trillion, up 4.8 percent from fiscal 2015. The president's proposal calls for about a 10 percent increase in the budget for the Office for Civil Rights, which enforces HIPAA. By comparison, the budget calls for a 52 percent increase in the budget for the Office of the National Coordinator for Health IT, which oversees policies and standards for health IT programs, including the national exchange of health information.

Obama's budget is a statement of the administration's spending priorities for the federal government. Ultimately, Congress must approve appropriation bills to fund the government, and it's unlikely a GOP-controlled Congress will approve many of the Obama administration's proposed increases.

In fact, neither OCR nor ONC received the increased budgets called for in Obama's fiscal 2015 budget proposal. Each agency received a flat budget in the Consolidated and Further Continuing Appropriations Act, 2015 passed by Congress in mid-December and signed by President Obama on Dec. 16 (see OCR, ONC Get Flat Fiscal 2015 Budgets).

OCR Budget

Under the proposed fiscal 2016 budget, OCR would have a budget of $42.7 million, up from nearly $39 million from fiscal 2015. The OCR budget for fiscal 2016 calls for the addition of just four full-time staffers, bringing the total to 199.

The HHS budget document indicates the bulk of the proposed $3.9 million OCR budget increase would go toward funding a permanent HIPAA compliance audit program.

In a letter accompanying HHS' budget proposals, OCR Director Jocelyn Samuels writes: "The audit program will add tremendous value to OCR's compliance and enforcement mission by enabling OCR to proactively and systematically measure industry compliance with HIPAA."

The audit program, mandated by the HITECH Act, will give OCR "another vital enforcement tool to gauge and promote industry compliance independent of our normal complaint resolution processes," Samuels says. "The two primary objectives of this program are to further promote voluntary compliance and to utilize audit data to better target our existing technical assistance efforts."

The OCR fiscal 2016 budget request "represents a doubling down of the commitment to expand the HIPAA/HITECH audit program," says David Holtzman, vice president of compliance at security consulting firm CynergisTek, and a former OCR policy adviser. "When Congress passed the HITECH Act in 2009, it mandated OCR conduct audits of HIPAA covered entities and business associates to assess compliance with the [HIPAA] rules across the health care sector. However, Congress only appropriated enough funding for the first two years of the audit program," he notes.

Although Congress did not appropriate any additional funds to OCR in Fiscal 2015, OCR used its budget appropriation for existing programs to create a position for a full-time HIPAA audit manager and complete other audit preparation tasks, he explains.

Now for fiscal year 2016, "HHS is asking Congress to provide an outright appropriation to fund the HITECH audit program it mandated. OCR's budget request provides for funding of new personnel in OCR regional offices whose responsibility would to carrying out the audit program," he says.

Early last year, OCR officials said the agency planned to launch the HIPAA audit program by the fall of 2014, by first beginning to randomly audit covered entities, and then business associates in early 2015. However, the program remains on hold, with the protocol for audits still in development and a project to automate the collection of audit documentation still incomplete (see HIPAA Audits Are Still On Hold).

"In the current constrained fiscal [2015] environment, OCR continues to examine ways we can do more with our resources," Samuels writes in her letter accompanying the HHS budget proposal.

ONC Budget

Under the proposed HHS budget, ONC would receive $91.8 million, a $30 million-plus boost over its enacted fiscal 2015 budget of $60.3 million. The ONC budget proposes adding 15 full-time employees, to bring the agency's total headcount to 200.

"The FY 2016 budget request reflects ONC's commitment to developing a nationwide, interoperable learning health system that assures that data can be securely collected, used and shared by the right people at the right time to achieve better care and better health at a lower cost," says ONC leader Karen DeSalvo, M.D. in the HHS budget document submitted to Congress.

Just last week, ONC unveiled a draft 10-year roadmap for achieving nationwide secure health data exchange built on interoperable electronic health records systems (see ONC's HIE Roadmap: Hurdles Ahead).

In its budget request, ONC is seeking $9.1 million for health IT policy and governance activities, including ONC identifying the "rules of the road" for secure national health data exchange.

The proposed ONC budget also allocates $4.8 million to privacy and security activities, including:

  • Developing health IT privacy and security policy, standards and adoption strategies for nationwide health information exchange;
  • Providing guidance to providers, consumers, and other stakeholders to ensure that health information technology and workflows are protected by adequate safeguards;
  • Developing identity management methods to help ensure that patients and providers are who they say they are when electronically accessing and exchanging information.
  • Taking steps to ensure patients have control over use and disclosure of protected health information.

Preventing ID Theft

The budget also proposes spending $50 million "to protect seniors from identity theft." That funding would support the removal of Social Security Numbers from Medicare cards, an initiative that's been recommended multiple times since 2002 by government watchdog agencies, including the Government Accountability Office and the HHS Office of Inspector General.

HHS is also seeking $73 million - a $28 million increase over fiscal 2015's enacted budget - to manage and provide oversight to the department's cybersecurity program.

"This investment is designed to reinforce and protect the department's information technology systems against the growing threats within the cyber community," says the HHS budget document.

Safeguarding Genomic Data

In addition, the budget includes $215 million to fund a proposed "precision medicine initiative," which President Obama mentioned during his recent State of the Union address. The new "cross-department initiative is focused on developing treatments, diagnostics and prevention strategies tailored to the individual genetic characteristics of each patient, also known as precision medicine," the HHS budget notes.

The budget proposes that ONC spend $5 million in fiscal 2016 to help develop technology and define standards and certification criteria to enable the secure exchange of genomic data related to the precision medicine effort.

Also, OCR will work with the participating agencies "to ensure that adequate privacy protections are in place to support implementation of this initiative," HHS' budget document notes.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.