It may sound counter intuitive, but proposed budget cuts may just stimulate increased enforcement as OCR is forced to become more self-sufficient. In recent articles Leon Rodriguez, head of OCR, explains how the Administration’s 2013 budget will result in a 5 percent shortfall in funding for his organization which is responsible for HIPAA enforcement. This, despite promises by Rodriguez after he assumed office, that he would step up enforcement activities. Already the OCR has to rely on contractors to handle its random audit program and for support to its complaint management process. So with fewer dollars how are they going to step up enforcement? Sounds hard to imagine, but maybe not.
Adam Greene who used to be at OCR and has since moved over to the law firm of Davis Wright and Tremaine opines that the increase in responsibilities from HITECH, the decrease in budget, and stated goal of increasing enforcement may lead to more fines. Remember that under HITECH the monies received from HIPAA Privacy and Security fines go to OCR to support further enforcement activities. So the idea that a reduction in budget, forcing OCR to be more self-sufficient, could very well result in more enforcement activity, or at the very least, a more critical look at fines.
The tangential consequence from this reduction in budget, and any accompanied perception of relaxed enforcement, could also lead to more activity by State AGs. An example of this is the Minnesota case pending against business associate Accretive Health, Inc. While this case was in no way connected to the reduction in the budget, nor precipitated by it, there have been more than a couple of articles that this action suggests a growing impatience by State AGs with the lack of final rule making by OCR. I somewhat doubt this though as State AGs have not shown a lot of interest in going after potential HIPAA violations associated with breaches and there has been more than enough opportunity for them to do that in the last year.
Bottom line is we’ll have to wait and see, but your best bet is to be ready, manage your systems and data appropriately and not try to second guess or predict what will or won’t happen. What is known is that you could become subject to attention either through a compliant, a breach investigation, a random audit, a State AG level action or a lawsuit as a result of a breach. I think there is more than enough there to understand why readiness makes sense.