The president’s proposed fiscal 2013 budget may appear helpful to covered entities and business associates that are concerned with HIPAA compliance. The budget calls for an overall 8 percent increase in spending for the Department of Health and Human Services (“DHHS”), but more importantly for those that have to comply with HIPAA, the proposed budget contains a 5 percent cut in spending for the unit that enforces the Privacy Rule, the Office for Civil Rights (“OCR”).
The budget notes that this cut reflects improved efficiency at the OCR: “OCR instituted a number of process improvements and administrative efficiencies from FY 2002 through FY 2010, including improved staff skill sets and case management techniques.” The DHHS budget proposal also notes, “Those improvements have made OCR more efficient,” enabling the $2 million budget cut.If the proposed budget is approved, OCR will spend $39 million in FY 2013, down from $41 million in FY 2012, and will cut its staff by 4 percent to a total of 256.
Why isn’t this proposed budget good news? Even assuming that the improved efficiencies do not mean that OCR will be more effective in enforcing HIPAA with less money, this budget cut just gives OCR more reason to impose civil money penalties now that the HITECH Act means that the penalties go to OCR for its enforcement actions rather than to the U.S. Treasury in general. If anything, one might expect that the budget cut simply gives OCR more incentive to aggressively pursue complaints and impose large money penalties, such as the $4.3 million that Cignet Health was fined for failing to afford patients access to their PHI and for obstructing the OCR investigation into the matter. See my June 17, 2011, post.
No, a 5 percent budget cut for OCR doesn’t mean that you can let up on HIPAA compliance!