President Obama’s administration submitted its budget proposal for fiscal 2017 earlier this year—indicating a clear funding prioritization of HIPAA compliance audits and other health care initiatives.

According to the FY 2017 OCR Budget Brief, the increased budget would “modernize HIPAA protections, support innovation in healthcare, ensure adequate protections in new programs and technologies, streamline requirements to make them less burdensome, and evaluate new areas where HIPAA does not currently apply.”

Among budgetary recommendations are $1.15 trillion for the Department of Health and Human Services. Of that sum, $43 million is slated for the HHS’ Office of Civil Rights (OCR), which enforces HIPAA, and $82 million for the Office of National Coordination for Health IT (ONC). If approved by Congress, these requests would result in budget increases over the fiscal 2016 budget, including a 3% increase for HHS, a 10% increase for OCR and a 36% increase for ONC.

The proposed fiscal 2017 budget increases would cover several HHS initiatives including:

  • Funding for HHS to modernize its HIPAA protections
  • Funding for OCR to add 18 full-time equivalents to its current staff of 180 to cover the next round of HIPAA compliance audits in 2016
  • Funding the ONC to advance secure nationwide health information exchange and interoperable health care IT, making sure that, for example, electronic health records can easily exchange data

Budget Prioritization for HIPAA Compliance Audits

HIPAA audits are a clear priority in the budget increase requests. An HHS budget brief noted: “OCR plans to conduct comprehensive and desk audits of covered entities and business associates. Audits are a proactive approach to evaluating and ensuring HIPAA privacy and security compliance. The audit program will offer a new tool to help ensure HIPAA compliance by covered entities and business associates while also informing OCR on areas in which to direct its enforcement and technical assistance.”

The proposed funding increase for OCR would also enable the office to focus efforts on modernizing HIPAA, allowing for the better protection of health information, improving health outcomes, while improving the ability to detect and prevent cyber-attacks.   OCR will continue with its robust enforcement and encompass “efforts to streamline HIPAA requirements to make them less burdensome.”

Despite a lack of approval from Congress for fiscal 2016 funding for HIPAA compliance audits, OCR officials stated last fall that they planned to launch the next round of HIPAA compliance audits in 2016. In February, an OCR spokesperson told Information Security Media Group: “OCR is committed to launching the second phase of its audit program in FY2016. We will share more information on the details of our audit program as it becomes available.”

In fact, after many delays, OCR announced the launch of Phase 2 of its audit program on March 21, 2016 in advance of the budget increase approvals. In a statement, the agency said:

“As a part of our continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates. The 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”

Organizations can take a proactive approach in advance of an audit. For example, by reviewing the Updated Phase 2 Audit Protocol, organizations can conduct their own mock audit to help prepare for OCR HIPAA audits and investigations.

Contact us today for more information about how we help organizations to build and improve their cybersecurity and information risk management programs.

Clearwater Compliance

Clearwater Compliance helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.