Compliance , HIPAA/HITECH , Risk Management

Trump Proposes Hefty HHS Budget Cuts for OCR, ONC

Experts Analyze Potential Impact on Privacy, Security Efforts
Trump Proposes Hefty HHS Budget Cuts for OCR, ONC

This story has been updated.

See Also: IoT is Happening Now: Are You Prepared?

The Trump administration's detailed proposed fiscal 2018 budget, unveiled Tuesday, includes hefty cuts to the two Department of Health and Human Services agencies responsible for health data privacy and security issues, including HIPAA enforcement.

The Office of the National Coordinator for Health IT - which oversees health IT standards and policies, including secure health data exchange - would face a 36 percent budget cut under the Trump budget proposal for fiscal 2018, reducing its budget from $60 million to $38 million. Full-time staff would be cut from 188 employees to 162. ONC's privacy and security activities would be "closed out."

Meanwhile, the Office for Civil Rights - which enforces HIPAA - faces a 16 percent budget cut, with spending dropping to $32.5 million from nearly $39 million and staff cut to 161, down from the current 177.

Back in March, the White House issued its so-called "skinny budget" for fiscal 2018, which called for slashing HHS's total budget by $15.1 billion, or nearly 18 percent, to $69 billion, but contained few details.

Congress Could Make Big Changes

Of course, presidential budgets are never passed as-is, and Congress could choose to make major changes as part of its appropriations process.

"This budget proposal is nothing more than a rough first draft," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "There seems to be a widespread consensus that few, if any, people in Congress like the budget."

Nahra contends the budget proposal "places abstract political principles and tax cuts ahead of the business of government, even in defense of laws passed by Congress. While OCR, for example, is not generally changing its approach, cutting staff will force them to do things differently. That may have the result of being bad for both individuals and businesses."

Likewise, privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, claims it would be "extremely challenging for federal agencies like OCR and ONC to carry out their mission if the president's proposed budget for HHS is passed by Congress."

Cuts at OCR

Among the potential early casualties of the proposed cut to OCR would be the agency's HIPAA audit program, Nahra predicts.

Last fall, OCR launched its much delayed phase two of the HIPAA compliance audit program. That included OCR conducting more than 200 remote "desk audits" of covered entities and business associates.

OCR officials had originally planned to also conduct a smaller number of more comprehensive on-site audits in the first quarter of calendar 2017. But by February, officials said plans to conduct those onsite audits were being pushed back (see HIPAA Compliance Audits: Very Latest Details).

If Congress does indeed approve the proposed OCR budget cut, onsite audit plans could be on hold indefinitely.

But privacy attorney Adam Greene of the law firm Davis Wright Tremaine says much more is at stake than the future of HIPAA audits. "If these budget cuts are enacted, I think the biggest hit to OCR will be in putting out new policy guidance. There is a lot of demand for additional guidance, but not enough staff to do it," he says.

OCR's HIPAA enforcement activities, including breach investigations, however, are a bit more complicated, he adds.

"OCR gets to keep enforcement settlements and penalties and apply them toward future enforcement efforts, but you can't hire government employees on one-time enforcement payments," Greene says. "You can hire contractors, though. So these budget cuts may lead to less government employees doing enforcement and more reliance on contractor staff to assist."

Joy Pritts, a former ONC chief privacy officer, says OCR's HIPAA enforcement activities could be spared the brunt of the proposed cuts, if enacted. But that isn't necessarily the case for OCR's other regulatory activities, especially those related to anti-discrimination.

"OCR civil rights activities - other than HIPAA - will probably suffer the most from the proposed budget cuts," Pritts says. "OCR's HIPAA activities may be able to withstand some of the budget cuts because any civil monetary fines that OCR collects under HIPAA are designated to OCR for HIPAA enforcement purposes."

Potential Impact to ONC

Meanwhile, the proposed budget cuts to ONC could impact the agency's assigned work related to health IT provisions of the 21st Century Cures Act, which was signed into law last December by President Obama.

For instance, under the legislation, ONC is to "convene public and private stakeholders to develop or support a common national trust framework and agreement" for secure exchange of health information.

Lynne Thomas Gordon, CEO of the American Health Information Management Association, which represents more than 103,000 U.S. health information professionals, criticized the proposed cuts to ONC.

"We are disappointed by the administration's proposed cuts to the ONC," Gordon said. "The bipartisan passage of the Cures Act by Congress last year made clear that investment in our nation's health IT infrastructure is critically important if we are to advance new drugs and devices and fully realize the benefits of a learning healthcare system. ONC is a critical partner in this endeavor. We hope that as congressional appropriators draft ... appropriations bills for fiscal year 2018, they will ensure that ONC is properly funded and signal their commitment to meeting the goals of the 21st Century Cures Act."

On the Cutting Block

An HHS budget justification document posted online, however, says: "ONC will continue to devote resources to combatting information blocking and advancing other rule-making activities as required under the Cures Act," HITECH Act and other legislation. "To adequately and efficiently support the shift [in] ... priorities, ONC will shift funding and staff support to these priorities from other ONC policy and program activities." That includes "closing out" activities related to privacy and security, as well as other areas including health IT safety, usability and clinical quality improvement. Eliminating those items from ONC's fiscal 2018 budget will save about $800,000, the document notes.

Phasing out ONC's office of the chief privacy officer is a bad idea, Greene contends. "ONC's privacy office has been doing good work in recent years, putting out guidance on privacy and security issues arising from health IT and ensuring that privacy is part of HHS' promotion of EHRs and health information exchange," he says. "Theoretically, OCR could do this same work, but it does not currently have the resources to handle everything that the ONC chief privacy office was doing, and certainly won't if OCR's budget is also cut."

Pritts, ONC's former privacy officer, notes: "It may make some sense to eliminate ONC's CPO position if HHS intends to move most health IT privacy and security policy work to OCR. But eliminating the CPO while at the same time reducing OCR's budget does not bode well for consumers. It appears that protecting privacy and security in this quickly changing environment will be a low priority going forward."

Other Changes Coming?

Nahra also notes a mismatch between Congress' 21st Century Cures Act-related priorities and the Trump administration's budget for HHS.

"With ONC, the issue is how they can do things Congress just last winter told them to do. So, that's yet another place where this administration is on its own island."

But Holtzman notes that other changes are also potentially on the horizon at HHS.

"ONC and OCR may see changes to their operations under an agencywide reorganization plan being developed by Secretary Tom Price," he says. "I urge taking a wait-and-see approach as the process of adopting a federal budget is far from completion."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network