The Department of Health and Human Services’ Office for Civil Rights received more than 51,000 complaints in 2022 about violations of the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and civil rights and conscience/religious freedom laws. Complaints have increased by 69% since 2017 and the number of cyberattacks and data breaches now being reported is considerably higher than 5 years ago. A recent OCR report to Congress confirmed there has been a 58% increase in reported data breaches of 500 or more records since 2017.
While complaints and reported data breaches have increased significantly, OCR’s funding has not. OCR has also not been able to increase funding through its enforcement actions. OCR has increased the number of fines and civil monetary penalties imposed to resolve HIPAA violations, but the total funds received are down due to a reinterpretation of the language of the HITECH Act, which saw OCR reduce the maximum fines it can impose for violations of HIPAA in three of the four penalty tiers.
The funding OCR receives from the government is not sufficient, and that is naturally having an impact on the ability of the OCR to achieve its objectives. OCR enforces 55 civil rights, conscience, and privacy statutes, so its resources are being spread very thinly. OCR responds to all complaints and investigates all data breaches of 500 or more records along with a select number of smaller data breaches, but there is currently a tremendous backlog of cases and investigations. The OCR breach portal, for instance, currently includes 876 data breaches of 500 or more records, complaints about potential HIPAA violations increased by 25% last year, and OCR is having to also deal with increases in complaints about civil rights, religious freedoms, and conscience violations.
While OCR has continually requested an increase in the funding it receives from the federal government, aside from increases due to inflation, extra cash has yet to materialize, which means OCR needs to do more with the limited funding it receives. On February 27, 2023, the HHS announced that action is being taken to help OCR address the growing need for enforcement of civil rights, conscience, and privacy statutes by restructuring OCR and creating three new divisions: Enforcement, Policy, and Strategic Planning.
As part of the restructuring, OCR will be renaming the existing Health Information Privacy Division (HIP), which will become the Health Information Privacy, Data, and Cybersecurity Division (HIPDC). HIP has long had a cybersecurity role, which includes investigating the hacking and IT incidents reported to OCR by HIPAA-regulated entities. That aspect of the division’s remit has been increasing as more and more hacking incidents are being reported. 80% of all reported data breaches now being reported to OCR are due to hacking. The renamed division will continue to investigate these breaches and meet growing demands to address cybersecurity and health information privacy concerns.
OCR has also announced that the responsibilities of its Health Information Privacy, Operations and Resources, Civil Rights and the Conscience and Religious Freedom divisions will be reorganized into new, functional crosscutting areas, and existing staff will now work in areas that match their skill sets, rather than focusing on the enforcement of specific laws. This should improve efficiency and get better use of OCR’s limited resources, which will help OCR reduce the current backlog of investigations. The HHS said the new structure reflects that of other federal civil rights offices such as the Department of Education’s Office for Civil Rights. The newly established Strategic Planning Division will coordinate public outreach on OCR’s authorities to protect civil rights, conscience, and health information privacy, and will also expand data analytics and coordinate data collection across the HHS.
“Today’s reorganization improves OCR’s ability to effectively respond to complaints, puts OCR in line with its peers’ structure, and moves OCR into the future,” said OCR Director Melanie Fontes Rainer. What we can expect, therefore, is more timely investigations, and potentially an increase in financial penalties for organizations found to have violated privacy, civil rights, religious freedoms, and conscience laws.