HIPAA compliance has seemed to be on the government’s radar more than ever before. In just the past year, we’ve seen record-breaking Office for Civil Rights (OCR) enforcement, proposed Privacy Rule updates and the implementation of the HIPAA Safe Harbor Law and the 21st Century Cures Act – two new sets of legislation centered around healthcare, technology, and patient rights. So with the spotlight set on protecting the privacy and security of health data during a time where reliance on technology is especially prevalent – it should come as no surprise that the government’s newly proposed budget features a heavy focus and increase in funding for this area specifically. 

What’s in the proposed budget? 

The Biden Administration recently released their proposed 2022 budget for the Department of Health and Human Services (HHS) in early June. The proposal calls for additional spending to better protect the healthcare industry from evolving cyber threats and support government efforts in enforcing compliance among covered entities. So exactly how much of a budget increase are they requesting and what does that tell us about the future of HIPAA compliance?

• Well for starters, the requested budget seeks $111 million for cybersecurity (an increase of $53 million from what is currently enacted in 2021). According to the official HHS Budget in Brief document, this dollar figure was proposed to “support the advancement of existing, and adoption of new, security technologies to protect the department’s information from the evolving number and complexity of cyberthreats.”
• The budget also includes $73 million to “build greater resilience into information technology systems across HHS by providing resources for security operations center enhancements and increased logging functions.”
• Remember the 21st Century Cures Act that we mentioned earlier? The proposal is also seeking $5 million to fund investigative and enforcement efforts related to information blocking provisions within the Cures Act.
• Additionally, the budget also includes $15 million to “hire specialized personnel from a competitive cybersecurity job market, increase OIG’s cybersecurity efforts, support needed expansions in digital technology, modernize OIG’s IT infrastructure, and further promote an AI-ready workforce.”
• On top of the increase in spending for cybersecurity, the Biden Administration is also proposing more overall funding for the HHS and their HIPAA enforcement efforts. The increase comes with a price tag of $48 million – which is $9 million more than fiscal 2021’s $39 million discretionary budget.
• The proposed budget also allocates $19 million in civil monetary settlement funds to support HIPAA enforcement activity bringing the proposed budget to a total of $67 million for the OCR. 
• In addition to the funding for the OCR and cybersecurity – the budget also includes an $87 million increase in funding for the Office of the National Coordinator for Health IT (ONC), which focuses on ensuring that the most advanced health information technology is implemented and used to best protect the electronic exchange of PHI. 
• And finally, the proposal asks for an increase of $13 million for the ONC to “build the future healthcare data infrastructure needed to better respond to and prepare for public health emergencies, including the COVID-19 pandemic.”

While those dollar figures are already a good indicator of where we can expect the government to continue its focus – ensuring that patients’ health data is properly protected goes beyond those hefty price tags. Fiscal 2022 proposed budget also seeks to add 39 staff members to the OCR, bringing the employment total to 229, and acknowledges that the “OCR will engage in rulemaking to further strengthen individuals’ rights to access their own health information, improve information sharing for care coordination and case management and reduce administrative burdens.”

So just as recent enforcement numbers have proven the governments’ awareness of noncompliance and influx of cyberthreats has shed light on a lack of proper security protections amongst healthcare providers – this proposed budget provides a ‘crystal-ball’ prediction of what we can expect to see moving forward. Adding in millions of dollars to the budget and expanding the task force in these relevant government agencies will produce even more resources available to ensure all covered entities are best protecting health data privacy and security. And although the new budget is not finalized as of yet, the upcoming changes to the Privacy Rule and commitment outlined within the proposal to improve upon government rulemaking is a clear sign that their emphasis on HIPAA and other health IT-related laws is not going away anytime soon. 

What does this mean for you? 

First off, meeting HIPAA and cybersecurity requirements is essential to protecting your practice and your patients from a data breach or HIPAA violation. While these are certainly things that should be prioritized regardless of the government’s spending plans, the proposal creates even more urgency in ensuring that you have these necessary safeguards in place. So as the government continues to hone in their focus on health data privacy and security, your practice should too – and having a complete compliance AND security program is the perfect place to start.