Report on Patient Privacy 22, no. 5 (May, 2022)
Compared to other agencies, the HHS Office for Civil Rights (OCR) is a little fish in the big federal pond, but it has an outsize effect on HIPAA covered entities (CEs) and business associates (BAs). And, if Congress agrees, its impact would expand significantly in the coming months.
As part of its 2023 fiscal year (FY) budget, which would begin Oct. 1, OCR has requested a 55% increase in its overall funding, for a total of $60.2 million.[1] It also would like to boost its total staffing by 91 new employees, an increase of 64%. While some of the funds would be devoted to enforcement of civil rights laws, much would support hiring additional investigators and tackling OCR’s backlog of complaints, including those alleging HIPAA violations.
But on top of requesting more money, OCR wants more muscle: Its budget proposal also seeks the authority to pursue injunctions against CEs and BAs, and—although the exact amount is unstated—the agency plans to work with Congress to increase the annual penalties it can impose for infractions of the privacy, security and breach notification rules. As part of a suit that HHS ultimately lost against the University of Texas MD Anderson Cancer Center, OCR in 2019 dropped the annual penalty caps to a level it now believes is ineffective in preventing violations.[2]
Aside from dollar and staffing information, OCR rolled its other requests into a single paragraph that is referred to in budget documents as a “legislative proposal.”
“OCR is proposing an increase in the amount of civil money penalties that can be imposed in a calendar year for HIPAA noncompliance and [seeks authorization] to work with the U.S. Department of Justice to seek injunctive relief in federal court for HIPAA violations,” the documents state. “Authorizing higher annual caps would increase OCR’s ability to vigorously enforce the HIPAA Rules, create a greater incentive to comply with the health information privacy laws, and effectuate greater industry compliance. In OCR’s experience, the current limits on civil money penalties do not create a sufficient deterrent to industry noncompliance.”
OCR did not respond to RPP’s request for more details, including specifics about requested penalty increases.
Like most other federal agencies that rely on congressional appropriations, OCR’s funding in the past two decades has come through partial-year continuing resolutions, widely believed to be a broken process that typically doesn’t allow for big increases or many new initiatives. But the White House’s system for proposing a budget has remained unchanged. The president issues a budget request for each department and wish-list items—i.e., legislative proposals—that, in general, Congress would have to codify into law for them to become a reality.
That said, no president’s budget is ever enacted whole cloth, regardless of which political parties are in control or hold the most sway, and if the administration feels strongly enough about a proposal or idea, some other means, such as an executive order, may be employed to achieve the same, or similar, goal.
As the budget explains, the president is seeking $60.250 million, an increase of $21.452 million over the current funding level, based on an annualized appropriation from the most recent continuing resolution.
OCR defended the request on multiple grounds. “Complaints received by OCR have risen significantly in recent years. Case receipts increased from 1,948 cases in 2003 to 45,832 in fiscal year 2021,” the agency said. However, while the “caseload has risen dramatically, OCR has experienced a large decrease in staffing available to resolve complaints. The number of investigators has dropped from 121 investigators in 2003 to 77 investigators in 2020.”
These shifts mean “OCR is limited in the number of complaints per year that it is able to resolve through a full investigative process,” it said.
“OCR plans to proactively address these issues by initiating compliance reviews and using additional staff in the regional offices to respond to the complaints in a timely and impactful way. This budget request includes supporting new regional investigators to resolve new civil rights and HIPAA cases, address the backlog of complaints, and initiate compliance reviews in the Administration’s priority areas,” according to the proposed budget. “OCR intends to add 37 additional investigators and supervisory investigators in FY 2023. These additional [employees] will be brought on to augment the regional staff who work on cases, breaches, compliance reviews, and other enforcement actions.”
Staff Face Escalating Complaints
Typically, OCR has “used approximately 10% to approximate future case receipts, but in FY21 the increase was over double that amount,” the agency said. “Given the trend in complaints to OCR as well as the priorities articulated by the Administration, OCR anticipates a significant increase in the number of civil rights, information breaches, and cybersecurity complaints.”
OCR said it would allocate $8.164 million to “address the existing complaint inventory.” The agency added that “the trend of case receipts is estimated to further increase in FY 2022 as OCR received nearly 46,000 complaints in FY21.”
These are complaints of all types, not just those related to possible HIPAA violations, though these have been increasing as well. Agency data shows OCR expects to receive more than 28,000 HIPAA complaints this year.
Additional funding is needed “to address the increased levels of complaints as well as breaches of unsecured PHI [protected health information] affecting more than 500 individuals,” which OCR noted in the budget documents have gone up every year.
According to the budget, in calendar year 2020, OCR received 683 reports of breaches affecting more than 500 individuals, a 30% increase over 2019. During a recent conference, an OCR official said that number had grown in 2021 to 714.[3] OCR opens an investigation into every breach affecting more than 500 people.
With additional staff, OCR “estimates it will result in the backlog being eliminated by FY 2026.”
Budget Answers Lingering Questions on Fines
But it’s OCR’s desire to increase fines and its quest for injunctive relief that are likely to have a more immediate impact on errant CEs and BAs. The move to boost fines would reverse limits in place since 2019. As noted earlier, the reductions stem from OCR’s 10-year, and ultimately failed, attempt to impose a $4.348 million fine against MD Anderson.
MD Anderson’s case began with two thefts/losses in 2012 and one in 2013. After MD Anderson refused to settle, OCR assessed a fine of $1.5 million for the 2012 losses and another $1.5 million for the 2013 incident. Then it added another $1.348 million for the organization’s lack of encryption on the devices. OCR took action to impose the fine in 2017, which was upheld in 2018 by an administrative law judge (ALJ) and later by an ALJ review panel.[4]
But in April 2019, while the case was still ongoing, then-OCR Director Roger Severino published a “notice of enforcement discretion” in the Federal Register announcing that OCR was reducing its civil money penalties to better match a new interpretation of OCR’s authority granted in the HITECH Act to impose amounts based on the entity’s culpability and level of knowledge of a violation or violations.[5]
The change meant that OCR would no longer impose the same annual cap of $1.5 million for all levels—fines that had been in effect for 10 years—but they instead would be $25,000 if there was no knowledge of the violation, $100,000 when there was “reasonable cause” of the violation, and $250,000 in the event of “willful neglect” with corrective actions. The highest tier—$1.5 million per year—would be reserved for “willful neglect not corrected.”
The notice said OCR would “use this penalty tier structure, as adjusted for inflation, until further notice.”
At the time, Severino did not acknowledge the reinterpretation was related to the case, but HHS attorneys admitted in court that the lower numbers—which MD Anderson had argued for—were accurate.
MD Anderson continued fighting, and in January 2021, the Fifth District Court of Appeals threw out the entire case, saying OCR was wrong on multiple counts and that MD Anderson owed no penalties.[6] That ruling also noted that “after MD Anderson filed its petition, the Government conceded that it could not defend its penalty and asked us to reduce it by a factor of 10 to $450,000,” the court wrote. That is the amount that MD Anderson concluded it could owe if OCR applied annual caps appropriately.
OCR officials subsequently and repeatedly said the agency needed to respond to the ruling through rule-making or some other means. But it had made no public moves on fines until the appearance of the legislative proposal included in the upcoming budget. Some compliance officials and others may be surprised if they thought OCR was going to codify the lower levels, because that’s clearly not its intention.
Enforcement Discretion Still Stands
Health care attorney and former OCR regulator Adam Greene has been opining on the issue of penalty amounts, blogging last fall that OCR, now under the Biden administration, might not be bound by the Trump White House’s lowering of the caps.[7] He noted that the MD Anderson ruling is in effect only in the Fifth Circuit. Still, Greene pointed out, the caps will stand unless OCR moves to rescind the notice of enforcement discretion. To date it has not done that, and the budget documents indicate it is seeking a legislative way to go back to the higher caps.
Greene, who was not aware of the legislative proposal until RPP contacted him, said it, at least, brings transparency to OCR’s intentions regarding penalties.
“From my perspective, I would be most interested in clarity, such as revising the regulations or putting out a clarification notice, to confirm whether they are acceding to the court’s interpretation in the MD Anderson case,” said Greene, a partner with Davis Wright Tremaine LLP. “In practice, if Congress were to act on this request to increase the annual year caps, I see it as a return to the status quo more than anything else.”
Injunctive Relief Would Be New
Regarding injunctive relief, Greene said he is “not surprised OCR would want this authority,” noting that the HITECH Act “provides attorneys general with authority to seek injunctive relief.”
“Under the current law, OCR can penalize past conduct,” and if the CE or BA agrees to a corrective action plan (CAP), it can compel the organization to cease certain practices or begin others. But without a CAP, it can’t do either. Some organizations have chosen to accept a fine rather than comply with a CAP.
In the absence of a CAP, if the entity is a repeat offender, “OCR’s recourse is to bring another enforcement action in the future,” Greene explained. “If OCR were given authority to obtain injunctive relief, then it could require entities to take or discontinue actions—such as by requiring an entity to provide an individual with access to records or to discontinue a use or disclosure of protected health information—rather than only being able to penalize the entity after an act or omission occurs.”
1 HHS, Fiscal Year 2023: Justifications of Estimates for Appropriations Committees, accessed May 2, 2022, https://bit.ly/3NDSYOq.
2 Theresa Defino, “Easy Win for MD Anderson? OCR Drops Annual Caps, Issues Warning on Right-of-Access Denials,” Report on Patient Privacy 19, no. 5 (May 2019), http://bit.ly/2LRuymI.
3 Theresa Defino, “Words From the Wise: OCR Shares Recurring Issues, Reviews Cases,” Report on Patient Privacy 22, no. 4 (April 2022), https://bit.ly/37UH9n4.
4 HHS, “Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations,” news release, June 18, 2018, http://bit.ly/2Ko5GFf.
5 Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties, 84 Fed. Reg. 18,151 (April 30, 2019), http://bit.ly/2GXq4Y8.
6 Theresa Defino, “MD Anderson Sees Vindication After Long Battle, Says Others Will Benefit,” Report on Patient Privacy 21, no. 2 (February 2021), https://bit.ly/3uouOx3.
7 Adam H. Greene and Rebecca L. Williams, “Some Things Are Inevitable … Death, Taxes, and Rising HIPAA Penalties,” Privacy & Security Law Blog, Davis Wright Tremaine LLP, November 30, 2021, https://bit.ly/38Hcslr.
[View source.]
