OCR, ONC Get Flat Fiscal 2015 BudgetsThe Impact on Privacy, Security and Health IT Safety Plans
The newly approved fiscal 2015 federal budget includes no increase in funding for the federal agencies responsible for enforcing HIPAA and setting policies and standards for the HITECH Act financial incentive program for electronic health records.
As a result, the Department of Health and Human Services, which oversees both agencies, has put on hold its plans to build a health IT safety center. Meanwhile, Congress is demanding more scrutiny of EHRs that "block" interoperable health information exchange, impeding efforts to improve access to data and improve the quality of care.
The Consolidated and Further Continuing Appropriations Act, 2015 passed by Congress last week after months of haggling, and signed by President Obama on Dec. 16, provides the HHS' Office for Civil Rights, which enforces HIPAA, with a budget of nearly $38.8 million, while the budget for the Office of the National Coordinator for Health IT, which sets HITECH guidelines, among other tasks, is almost $60.4 million.
Under the Obama administration's proposed fiscal 2015 budget released in March, OCR had sought a budget of $41 million, up $2 million from fiscal 2014.
The proposed budget had OCR adding 11 full-time staff members, increasing its workforce to 218 employees in fiscal 2015. The funding increase was also slated to help support OCR's centralized case management operations and online complaint system, according to an HHS "budget in brief" document released in March.
Despite the flat budget, "OCR will continue working efficiently to maintain and improve our compliance and enforcement activities across the board moving forward," an OCR spokeswoman tells Information Security Media Group. She declined to comment on OCR's hiring plans or what, if any impact, the smaller-than-requested budget approved by Congress might have on OCR's plans for the next phase of HIPAA compliance audits. Those audits had been slated to begin in the fall of 2014 but were postponed in part due to delays in a technology rollout at OCR to help handle the electronic submission of documents related to the audits (see HIPAA Compliance: What's Next?).
"OCR is committed to implementing an effective audit program," she says. "Organizations should continue to monitor the OCR website for future program announcements." In the meantime, "OCR's strong enforcement of the HIPAA privacy, security, and breach notification rules, remains very much on track, as evidenced in our recent [HIPAA] resolution agreement with Anchorage Community Mental Health Services," she says, referring to OCR's $150,000 settlement earlier this month with the mental health services provider that failed to update and patch software, which contributed to a 2012 breach affecting 2,700 individuals (see $150K HIPAA Fine For Unpatched Software).
Meanwhile, ONC had sought a budget of nearly $75 million for fiscal 2015. The proposed funding plan included the hiring of six additional full-time employees to bring ONC's headcount to 191, according the HHS budget documents.
The proposed ONC budget also included $5 million for the creation of a new Health IT Safety Center, which was slated in fiscal 2015 to begin "a robust collection and analysis of health IT-related adverse events, which will facilitate benchmark data on the types and frequencies of events," according to the HHS budget documents released in March.
However, some GOP members of Congress in recent months had opposed the creation of an ONC health IT safety center over concerns that it might encroach on activities carried out by the Food and Drug Administration, including some related to medical devices.
The creation of the health IT safety center was also called for in a Proposed Strategy and Recommendation for a Risk -Based Framework report issued by the FDA, ONC and Federal Communications Commission in April 2014.
A ONC spokesman tells ISMG that "ONC does not have increased funding above the FY 2014 levels in the areas of standards development and harmonization, the patient safety center, or adoption and meaningful use [of electronic health records], as were requested in the FY 2015 President's Budget." As a result, ONC won't launch the health IT safety center.
Despite the flat budget, however, "ONC is continuing to fund privacy and security and has not eliminated any planned activities related to this work in 2015," he says.
EHR Interoperability Scrutiny
In addition to the funding approved by Congress, the 2015 budget also calls on ONC to more carefully scrutinize health IT products, such as EHR systems, that do not facilitate the interoperable exchange of health data.
The budget urges ONC "to use its [HITECH] certification program judiciously in order to ensure certified EHR technology provides value to eligible hospitals, eligible providers and taxpayers."
That includes instructing ONC to use its authority "to certify only those products that clearly meet current meaningful use program standards and that do not block health information exchange. ONC should take steps to decertify products that proactively block the sharing of information because those practices frustrate Congressional intent, devalue taxpayer investments in certified EHR technology, and makes [the technology] less valuable and more burdensome for eligible hospitals and eligible providers to use."
Those healthcare providers participating in the HITECH "meaningful use" program must use EHR products certified as meeting requirements approved by ONC, including those related to secure data exchange.
The budget also calls for ONC to report "no later than 90 days after enactment of the act" regarding the extent of the information blocking problem, including an estimate of the number of vendors or eligible hospitals or providers who contribute to blocking information exchange. "This detailed report should also include a comprehensive strategy on how to address the information blocking issue," the budget measure states.
In response, the ONC spokesman says: "We understand the importance of the issues about interoperability of health IT raised by members of Congress, which is one of the reasons we are expecting to issue the draft interoperability roadmap next month.
"The roadmap will address many of the challenges associated with achieving our long-term interoperability vision, including the need to promote a business and regulatory environment that promotes interoperability and exchange. In addition, we recently announced we are working closely with the Federal Trade Commission to better understand health IT market dynamics and encourage greater competition and innovation to deliver interoperable systems and services.
In an October blog, ONC leaders wrote: "ONC and FTC are cooperating and sharing information to better understand market dynamics related to health IT. In consultation with FTC, ONC will formulate policies that advance patient care through competition and innovation. Government policy may be able to improve transparency, promote interoperability, create incentives for quality, and reduce barriers to competition and innovation."