The Office for Civil Rights, the enforcer of the HIPAA privacy and security rules, is asking for an increase of $5.6 million in its Fiscal Year 2012 budget proposal, mostly to adhere to HIPAA compliance and enforcement requirements.
Nearly half ($2.283 million) is needed because of OCR's requirement to hire "regional privacy officers" who offer guidance and education to covered entities, business associates, and individuals regarding HIPAA privacy and security.
OCR is requesting another $1.335 million to help investigate HITECH breach reports. As of September, 30, 2010, OCR has received a total of 9,300 breach reports -- 191 impact more than 500 individuals and 9,109 impact fewer than 500 individuals.
The numbers have increased since the report. As of Wednesday, March 16, 249 entities have reported breaches affecting 500 or more individuals to OCR.
OCR says it needs help investigating the small breaches. It needs additional full time equivalent employees and resources to "ensure it is able to conduct investigations of potential small- and mid-sized breaches."
The new breach reports represent a 109% increase in OCR's HIPAA workload – and they are in addition to the nearly 9,400 HIPAA privacy and security rule complaints that OCR received in FY 2010.
"Based on OCR's current HIPAA case load, almost all breach reports that impact [fewer] than 500 individuals are not investigated," OCR writes.
OCR's other budget requests are:
Enforcement of the HIPAA Security Rule ($1 million). Helps support OCR's new delegated authority for the administration and enforcement of the security standards in the HIPAA Security Rule.
Compliance review program ($1 million). Supports OCR's establishment of a compliance review program designed to evaluate, educate, and ensure compliance within a sample of the expanded covered programs and providers each year. OCR anticipates that FY 2012 will be the starting point for a steady increase in civil rights complaints requiring investigation and compliance reviews.
"OCR's 2012 Budget Justification highlights that while our workload has increased, we are working smarter and more strategically to fortify our enforcement activities across the board," an OCR spokesperson wrote in an e-mail to HealthLeaders Media. "OCR is the primary defender of the public's right to privacy and security of protected health information and the public's right to non-discriminatory access to federally-funded health and human services, and we take these responsibilities very seriously."
Another HITECH enforcement requirement – OCR's periodic audits – has yet to be released. The last update came last May when OCR announced it had hired an outside firm, Booz Allen Hamilton, to help build its HITECH-required HIPAA auditing plan. OCR told HealthLeaders Media it was "presently engaged in a contract to survey and recommend strategies for implementing the HITECH audit requirement.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.