Trump FY 2019 Budget Would Slash ONC, OCR FundingBut Proposed Budget Would Increase Other Cybersecurity Spending for HHS
The Trump administration's proposed fiscal 2019 budget for the Department of Health and Human Services once again seeks deep cuts to two agencies responsible for health data privacy and security activities.
The White House is proposing to cut millions of dollars from the budget for the Office for Civil Rights, which enforces HIPAA, and the Office of the National Coordinator for Health IT - which the proposed budget notes "leads the government's efforts to ensure electronic health information is available and can be shared safely and securely."
But the budget calls for increasing spending on other cybersecurity-related efforts within HHS in fiscal 2019, which begins on Oct. 1, 2018.
The president's budget is little more than a wish list, because Congress must enact appropriations. In fact, the funding cuts the administration proposed for ONC's and OCR's fiscal 2019 budgets are nearly identical to cuts it proposed for fiscal 2018, but which Congress did not enact. The FY 2018 Continuing Resolution that Congress approved kept the ONC and OCR FY 2018 budgets flat with FY 2017.
Proposed ONC Budget
Like its proposed FY 2018 budget last March, the White House is proposing to cut ONC's budget more than a third, from $60 million to $38 million, for FY 2019.
The budget document notes that ONC's full-time workforce in FY 2019 would stay at 162, despite the proposed cuts. That's the same level as the headcount noted in the FY 2018 Continuing Resolution, which is down from 185 in FY 2017, according to HHS' budget document.
"In FY 2019, ONC will continue the cost reductions included in the FY 2018 budget related to information technology, space, staff training and agency travel. ONC will continue to seek additional administrative and operational efficiencies," the budget document notes.
The administration is also proposing to cut OCR's FY 2019 budget by about $8 million - or about 20 percent - to $31 million, down from the FY 2018 Continuing Resolution level of $39 million.
As a result of the proposed cuts, OCR's full-time headcount would drop to 147 in FY 2019 from 152 in FY 2018.
The HHS budget document claims that in FY 2019, "OCR will continue its robust and comprehensive HIPAA program efforts to maintain and improve upon the solid enforcement achievements from 2017."
OCR in 2017 recovered more than $20 million in HIPAA settlements and civil monetary penalties, the document notes. "As provided for by the HITECH Act, OCR utilizes such collections to support HIPAA enforcement activities and is required to maintain a [HIPAA compliance] audit program."
The budget document notes that by the end of FY 2017, OCR audited 166 covered entities and 41 business associates in phase 2 of the HIPAA audit program.
The budget calls for HHS to boost spending for other cybersecurity efforts within the department to $68 million, an increase of $18 million, or about 35 percent, above funding provided in the FY 2018 Continuing Resolution.
"This funding will support enterprisewide solutions to identify, evaluate, acquire, coordinate, and deploy cybersecurity information and tools across the department," the budget document says. "Without the proposed increase, the department will be unable to take action against cyber threats and to limit the impact of those events, and will be constrained in its ability to proactively engage with a range of stakeholders to provide cybersecurity solutions, workforce and tools integration to increase visibility for enhanced threat identification and management."
Potential Budget Impact
Some privacy and security experts say the proposed funding cuts to OCR and ONC - if enacted - would potentially impact the agencies' health data security and privacy efforts.
"For ONC, these budget cuts would be extremely tough," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "They would will force ONC to more singularly focus on interoperability, with less ability to work on other health IT coordination activities, including guidance on privacy and security," he says.
OCR may be in a slightly better funding positon than ONC, Greene notes. "OCR is able to offset its budget cuts a bit through the funds it receives in [HIPAA] financial settlements and penalties. But it is limited to applying these funds towards HIPAA compliance and enforcement, and there are limits on how the agency can effectively use one-time payments," he says.
For example, it's difficult to hire permanent staff based on a one-time settlement payment. "The result will probably be funding for programs such as audits - where one-time payments can go towards contracted support - but OCR will be challenged with being able to put out much needed policy guidance, with supporting regional staff and with working on non-HIPAA civil rights initiatives."
Privacy attorney Kirk Nahra of the law firm Wiley Rein says it appears that the HIPAA audit program is not a high priority for HHS. "The part 2 audits haven't yet led to any real results - and part 1 never led to a lot of useful information - and it is not at all clear to me that an audit program is a useful allocation of these limited resources."
Meanwhile, under the Trump administration, OCR also has an additional enforcement mission related to supporting a recent executive order, "Promoting Free Speech and Religious Liberty." The budget document notes that in FY 2018, "OCR established a new Conscience and Religious Freedom Division to ensure protection of conscience and religious freedom rights of individuals and entities working in healthcare and human services."
Those new enforcement activities potentially stretch OCR's resources even thinner, says Greene, a former senior adviser at OCR. "OCR is a relatively small office, so I think that the new focus on religious freedom, combined with proposed budget cuts, will inevitably take resources from other OCR initiatives," he says. "The impact may be most acute on the traditional civil rights side, such as limited English proficiency assistance, but likely will also impact resources available for HIPAA enforcement and policy guidance."
Nahra agrees that OCR faces challenges when when it comes its ability to carrying out its various enforcement activities.
"The major issue for OCR on HIPAA enforcement generally is the resources the office gets and then how they are allocated among the parts of the office," he says. "I doubt that there will be any change in the substance of the enforcement approach, but I could easily see resources being moved around so that there is a change in enforcement approach through resources, rather than directly through a philosophical change."
Nahra is concerned about how a budget cut could impact how OCR handles HIPAA cases.
"OCR has historically been a highly responsible enforcement agency - thoughtful and careful about what it is doing and willing to listen to companies under investigation and thoughtful about evaluating whether the actions justify an enforcement result," he says.
"That kind of thoughtfulness takes time and resources, however, and so I am worried that there may be an indirect impact from these resource changes that will lead to less thoughtful enforcement. This resource uncertainty - coupled with the loss of top leadership for HIPAA enforcement - may lead to some real concerns about how the enforcement process plays out."
In recent months, two top OCR leaders responsible for HIPAA enforcement activities have left the agency for new jobs.
Deven McGraw, former OCR deputy director of health information privacy, left the agency in October to join Silicon Valley-based health technology firm Ciitizen. Another long-time OCR official, Iliana Peters, who succeeded McGraw, left the agency earlier this month to join the law firm Polsinelli.