HHS Spells Out Obama Budget's ImpactIncludes Funding for Health IT Safety, HIPAA Enforcement
The Obama administration's proposed fiscal 2015 budget calls for a 22 percent increase in funding for the office that oversees policies and standards for the HITECH Act's electronic health record incentive program and a 5 percent increase for the agency responsible for enforcing HIPAA compliance.
See Also: HIPAA Audits: A Revised Game Plan
Obama's budget is a statement of the administration's spending priorities for the federal government. Ultimately, Congress must approve appropriation bills to fund the government. Fiscal 2015 begins on Oct. 1.
ONC FundingUnder Obama's budget proposal unveiled this week, the Department of Health and Human Services' Office of the National Coordinator for Health IT, which oversees the HITECH program, would have a budget of $75 million, up $14 million from the current year. Six additional full-time employees would be added, bringing ONC's headcount to 191.
The proposed ONC budget includes $27.2 million, or $8.5 million more than the current fiscal year, to fund development of standards supporting interoperable and secure health IT infrastructure. In addition, ONC's proposed budget includes $2.9 million for other privacy and security related activities, "ensuring that electronic health information is private and secure wherever it is transmitted, maintained, or received," says an additional ONC budget document, the Justification of Estimates for Appropriations Committee, released by HHS on March 7.
The extra money sought by ONC in fiscal 2015 would also help support a number of other efforts, including the creation of a new Health IT Safety Center, which in fiscal 2015 "will begin a robust collection and analysis of health IT-related adverse events, which will facilitate benchmark data on the types and frequencies of events," says an HHS "budget in brief" document. ONC is seeking $5 million to fund the new safety center in fiscal 2015.
The new center "will monitor and analyze data on patient-safety events, potentially unsafe conditions associated with health IT, and patient-safety events that could be prevented by health IT," the HHS document notes. ONC will work closely with the Agency for Healthcare Research and Quality, the Joint Commission, Food and Drug Administration and patient safety organizations on this effort, the HHS document notes.
The HHS document notes that in fiscal 2015, the FDA will continue to implement key new responsibilities authorized in the FDA Safety and Innovation Act.
The FDA has been collaborating over the last year with ONC and the Federal Communication Commission in developing a "risk-based regulatory framework" to address patient safety concerns around health IT, including potentially those involving cybersecurity issues (see Health IT: A Cybersecurity Framework).
An ONC spokesman says the new Health IT Safety Center "is part of our Safety Surveillance and Action Plan based on recommendations in the Institute of Medicine report," which in 2011 suggested the government and private sector improve transparency in the reporting of health IT safety incidents and enhance monitoring of health IT products. The new safety center will be aligned with the report on the FDA framework, "which we intend to release for comment in March," the ONC spokesman says.
Meanwhile, under the proposed budget, the HHS Office for Civil Rights, which is responsible for HIPAA enforcement, would have a budget of $41 million, up $2 million from fiscal 2014. OCR would add 11 full-time staff members, increasing its workforce to 218 employees.
The funding increase will help support OCR's centralized case management operations and online complaint system, HHS notes. "The budget supports continued enforcement of the HIPAA security rule and OCR's expanded HIPAA responsibilities," the HHS document says. "OCR evaluates and ensures HIPAA and civil rights compliance through complaint investigations, compliance reviews, audits, resolution agreements, enforcement actions and monitoring, public education and technical assistance."
Among OCR's enforcement activities slated for 2014 is the resumption of HIPAA compliance audits, which have been on hiatus since the agency's pilot audit program wrapped up in 2012 (see HIPAA Audits a Step Closer to Resuming).
Unlike the pilot audits, which were conducted by the consulting firm, KPMG, the next wave of HIPAA audits will be performed by OCR's internal staff.
OCR officials recently confirmed the agency is taking the first steps to resuming the program. In a Feb. 24 notice in the Federal Register, OCR said it will survey "up to 1,200 HIPAA covered entities, including health plans, healthcare clearinghouses and certain healthcare providers, and business associates, to determine suitability for the OCR HIPAA audit program."
In fiscal 2013, OCR resolved more than 9,500 complaints of alleged HIPAA violations, and collected about $4 million in HIPAA settlements related to its enforcement activities, the HHS document notes. OCR projects that it will collect about $5.5 million from HIPAA settlements in fiscal 2014, which the agency will use to further fund its enforcement activities, according to the HHS document. Under HIPAA Omnibus, penalties for each HIPAA violation can range up to $1.5 million.