What's in Biden's Proposed FY 2022 HHS Budget?Includes Funding for Cybersecurity Programs and Privacy, Security Enforcement Efforts
The Biden administration's fiscal 2022 proposed budget for the Department of Health and Human Services calls for an increase in spending to protect HHS from evolving cyberthreats as well as funding boosts to support regulatory and enforcement efforts related to health data privacy and security.
The president's budget is little more than a wish list because Congress must enact appropriations, and the final funding levels always differ from the administration's requests.
The requested HHS fiscal 2022 budget seeks $111 million for cybersecurity, an increase of $53 million above what was enacted in fiscal 2021.
The requested increase will "support the advancement of existing, and adoption of new, security technologies to protect the department’s information from the evolving number and complexity of cyberthreats," according to the 153-page HHS Budget in Brief document (see: Biden Budget Seeks to Invest Billions in US Cybersecurity.)
The HHS budget includes $73 million "to build greater resilience into information technology systems across HHS by providing resources for security operations center enhancements and increased logging functions," the document notes.
The HHS budget also proposes funding for a variety of health data privacy and security programs at the department's various agencies.
For instance, the administration is seeking $5 million to fund investigative and enforcement efforts by the HHS Office of Inspector General related to information blocking provisions of the 21st Century Cures Act, which went into effect in April (see: New Regs Aim to Improve Patient Records Access, Sharing).
The act authorizes OIG to investigate and enforce violations involving information blocking, which refers to any practice that inappropriately impedes the flow or use of electronic health information.
The proposed fiscal 2022 OIG budget includes $15 million "to hire specialized personnel from a competitive cybersecurity job market, increase OIG’s cybersecurity efforts, support needed expansions in digital technology, modernize OIG’s IT infrastructure, and further promote an AI-ready workforce," the budget document notes.
"HHS and the healthcare industry face significant cybersecurity risks that OIG oversight and enforcement work will help mitigate."
The Biden administration is also seeking a slight increase in overall funding for the HHS Office for Civil Rights, which enforces HIPAA. The administration is seeking a discretionary budget of $48 million - a $9 million increase over fiscal 2021’s $39 million discretionary budget.
In addition, OCR will use $19 million in civil monetary settlement funds to support HIPAA enforcement activities, the budget document notes. That’s down $8 million from $27 million in settlement funds in fiscal 2021. In total, the administration is proposing a $67 million budget for OCR, which would be a $1 million increase over fiscal 2021.
The administration is seeking to add 39 staff members to OCR, for a total of 229.
Less Money From Enforcement
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes that OCR has collected $19 million in funds in the previous calendar year's enforcement actions that it can use toward further enforcement.
OCR’s HIPAA enforcement focus since April 2019 has been on settlements involving patient right of access disputes, such as cases in which covered entities failed to fulfill patients' requests for copies of their health records. While OCR has settled more than a dozen of these cases in the last two years, the financial penalties have been less than typically seen in large breach cases, he notes.
Last year, OCR issued 17 HIPAA settlements, the majority involving patient right of access cases.
"These enforcement funds can be challenging because they are one-time payments that fluctuate from year to year," he notes. "Accordingly, they are not ideal [to use] for hiring permanent staff, but instead are better suited for paying contractors and one-time expenditures."
Still, much of OCR’s enforcement work is done through career staff at the regional offices who are not affected by OCR’s changing enforcement funds, Greene notes.
The budget document notes that in fiscal 2022, "OCR will engage in rulemaking to further strengthen individuals’ rights to access their own health information, improve information sharing for care coordination and case management and reduce administrative burdens.”
In January, OCR published proposed changes to the HIPAA Privacy Rule; it's now reviewing public comments before issuing a final rule (see: Groups Call for Alignment of HIPAA Privacy Rule, Other Regs).
Another HHS unit, the Office of the National Coordinator for Health IT, focuses on coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information. For fiscal 2022, the Biden administration is seeking a $25 million budget increase, to $87 million, for this office, with the staff remaining the same at 177.
"The budget prioritizes funding to advance standards development, promote the interoperability and usability of electronic health information and electronic health records, and support the staff and operational costs that advance the agency’s mission," the budget document notes.
The fiscal 2022 budget provides an increase of $13 million for ONC "to build the future healthcare data infrastructure needed to better respond to and prepare for public health emergencies, including the COVID-19 pandemic," the budget document notes.
ONC’s progress on its voluntary trusted exchange framework and common agreement "will provide a pathway to nationwide connectivity and advance technology so that information can securely follow patients where and when they need it," the document notes.
ONC's trusted exchange framework and common agreement comprise a set of shared principles, terms and conditions to facilitate trust between health information networks, the document notes.
Additionally, ONC oversees the federal Health IT Advisory Committee, which recommends policies, standards, implementation specifications and certification criteria to support three priority target areas: interoperability, privacy and security, and patient access.
"While ONC is a very small part of federal spending on healthcare, ONC encourages innovation and competition, transparency and embracing person-centered care that values the whole individual, including their goals, culture and privacy," the budget document notes.
"ONC strives to ensure patient empowerment is a priority in the U.S. health care system and continues to work with federal partners, and other key stakeholders, to ensure patients are able to gain better access to information about their care."