Trump's Proposed HHS Budget: A Close LookHIPAA Enforcement, Medical Device Security Would Get More Funding
Funding for HIPAA enforcement would increase slightly under President Trump's proposed budget for fiscal 2021, thanks, in part, to income generated from fines imposed for HIPAA violations. Also targeted for support are medical device security initiatives and efforts to end the blocking of health data sharing.
The Trump administration's proposed $4.8 trillion federal budget for fiscal 2021 includes discretionary budget requests of $94.5 billion for HHS, a 10 percent decrease from the fiscal 2020 enacted level.
Discretionary budget cuts for the Office for Civil Rights, which enforces HIPAA, would be more than offset by money raised by enforcement actions. But the Office of the National Coordinator for Health IT, which oversees national standards and policies for secure and interoperable health information exchange, would see a funding cut of 16 percent under the Trump administration's proposal.
In addition, the budget calls for $18 million to fund a new Food and Drug Administration effort to implement a system to better evaluate the lifecycle safety and security of medical devices. Also, proposed is $5.3 million for the HHS' Office of Inspector General to implement its investigative and enforcement work around inappropriate "blocking" of the sharing of healthcare information.
The president's budget is little more than a wish list because Congress must enact appropriations, and the final funding levels differ from the administration's requests.
OCR's total proposed fiscal 2021 budget is $57 million, including $27 million in funding from HIPAA and civil rights enforcement collections and $30.3 million in discretionary funding. By comparison, OCR's enacted total fiscal 2020 budget was $53 million - which included more than $14 million from enforcement settlements and discretionary funding of $39 million, according to HHS budget proposal documents.
Despite the overall increase in funding, the budget calls for cutting OCR staff to 141 full-time employees, down from 151 full-time employees in fiscal 2020.
OCR has four divisions, two of which are involved with HIPAA. That includes an operations and resources division, which acts as OCR's primary enforcement arm for HIPAA as well as civil rights complaints.
Another division, OCR's information privacy division, carries out the agency's various activities related to compliance with the HIPAA privacy, security, and breach notification regulations, such as developing guidance and exercising OCR's civil monetary penalty authority.
Combined, the operations and resources division and the health information privacy division are proposed in fiscal 2021 to receive a total of about $22.3 million from HIPAA and civil rights settlements to offset cuts to their discretionary budgets.
The $4.3 million in HIPAA settlement money slated to go to the health information privacy division could actually result in a $338,000 budget increase for the unit, compared with the division's enacted fiscal 2020 budget (see: Tying Up Loose Ends for Health Data Privacy and Security).
The budget proposal document notes that in calendar 2019, OCR completed 10 HIPAA enforcement actions including the imposition of two civil money penalties and the settlement of eight cases with a monetary settlement and corrective action plan, for a total of $12.2 million in collections.
The budget document notes OCR is examining how is can streamline and update its regulations, including HIPAA.
"The HIPAA privacy and security rules were initially written and implemented more than a decade ago, and much has changed in healthcare, including access, use and disclosure of health information," the document notes.
"Recognizing that well-intended regulations can lose their efficacy with the passage of time and regulatory complexity can contribute to noncompliance, OCR is reviewing its regulations and significant sub-regulatory guidance to identify and modify or eliminate regulatory provisions and interpretations that are no longer effective or increase complexity for the regulated community without a corresponding benefit to health information privacy or security protections, or empowerment of individuals."
At the same time, OCR is working to implement provisions of the HITECH Act and the 21st Century Cures Act that mandate new regulations or the issuance of further guidance, the budget document notes.
The proposed budget notes that OCR experienced substantial challenges throughout 2019, including a significant reduction in experienced staff due to retirements.
"Nevertheless, in fiscal 2019, OCR exceeded its target for resolving health information privacy and civil rights cases through the investigative process within 365 days," the budget documents notes.
Critiquing OCR Budget Strategy
Privacy attorney Iliana Peters of the law firm Polsinelli, who formerly worked at OCR, sizes up OCR's strategy of relying on income from its enforcement activities to support its budget.
"This is only the second year that OCR has included mention of its enforcement recoveries as part of the budget request," Peters notes. Once appropriated funds are reduced, and replaced with funding from fines, it will prove difficult to win back a bigger appropriation, she says. "So, I think this signals that OCR is fairly confident in a certain level of recoveries from HIPAA settlements and civil money penalties going forward for some time."
An additional drawback to this approach, she says, is that "most federal agencies do not use non-appropriated funds for federal government employees. So this decision also signals to me that OCR expects the majority of its investigative staff and auditors to be contractors for the foreseeable future. While these contract attorneys are smart, well-trained, and well-integrated into OCR's HIPAA program, they are hard to retain, given that they don't reap the benefits of federal government employment."
For the Office of the National Coordinator for Health IT, the proposed fiscal 2021 budget is $50.7 million, a cut of about 16 percent from fiscal 2020. Nevertheless, the total staff would remain at 164.
"With this budget, ONC will continue its longstanding focus on two critical national priorities for the healthcare industry: the interoperable exchange of electronic health information, and reducing the administrative burdens facing healthcare providers," the budget document notes.
Privacy and security-related activities will continue for ONC, especially as it works closely with OCR "in response to [21st Century] Cures Act requirements and to address emerging challenges related to HIPAA and the privacy and security of electronic health information," the proposed budget notes.
"ONC remains unwavering in its longstanding goal to promote and ensure secure patient access to, and exchange of, electronic health information. A fundamental part of ONC's interoperability efforts is ensuring the privacy and security of patient data," according to the budget.
"For patient data to be shared, it must be requested and directed by patients. ONC is encouraging and permitting entities to educate patients on the risks of sharing their medical data, as well as things they should consider before sharing their data with anyone."
Patient ID Matching
The budget document also acknowledges that while Congress has left in place a longtime ban on HHS funding the promulgation or adoption of a unique patient health identifier, Congressional committees are "also aware that one of the most significant challenges inhibiting the safe and secure electronic exchange of health information is the lack of a consistent patient data matching strategy (see: Senate Budget Bill Would Keep Patient ID Ban Intact).
As a result, the budget notes, "ONC will continue to provide technical assistance to private-sector-led initiatives to develop a coordinated national strategy that will promote patient safety by accurately identifying patients to their health information."
Under the Trump administration's proposed budget, the FDA budget would rise more than 4 percent to $6.2 billion in fiscal 2021. That includes $18 million to "transform medical device safety, cybersecurity and review."
Under the plan, the FDA would build "an integrated knowledge management system and portal for medical devices using modern, agile information technology systems with secure data storage," according to the budget.
This would enable the FDA to better monitor safety issues "along the total life cycle of the device from bench testing to premarket clinical trials to postmarket adverse events and real-world evidence."
The system will improve FDA's capability "to better leverage pre-existing and new data in near-real-time ... essential for implementing FDA's new approaches for digital health technologies, breakthrough devices, use of real-world evidence, and cybersecurity," according to the proposed budget.
The budget proposes a 7 percent increase in funding for HHS' watchdog agency, the Office of Inspector General.
Some $5.3 million of the OIG budget would be devoted to investigating inappropriate blocking of health data records sharing.
HHS' controversial proposed rules on interoperability and information blocking prevention, which were released in February 2019, have been under review by the Office of Management and Budget since last fall and are expected to be issued soon (see Long-Awatied HHS Data Sharing Rules Raise Privacy Worries.