March 21, 2011 - The HHS Office for Civil Rights in its fiscal year 2010 budget request is asking for $46.7 million in funding, an increase of $5.6 million over the current level, and with 76 percent of the new funds going for increased enforcement of health information privacy and security rules.

OCR's budget for health information privacy and security was $19.857 million in both fiscal years 2010 and 2011. The privacy/security FY 2010 request for $24.122 million - a $4.265 million increase - reflects a sharply increased workload because of the HITECH Act's provisions to strengthen and more aggressively enforce the HIPAA privacy and security rules, as well as enforce the breach notification rule.

The request for increased funding includes $2.283 million for placement of a privacy advisor in each of OCR's 10 regional offices, $1 million for enforcement of the security rule and $1.335 million for investigation of breaches of health information. The breach notification rule has substantially increased the office's workload, according to an OCR report justifying its budget requests that was sent to congressional appropriations committees.

"Current OCR practice is to validate, post to the HHS Web site and subsequently investigate all breach reports that impacted more than 500 individuals," according to the document. "Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress, however, they are treated as discretionary and only investigated if resources permit. Based on OCR's current HIPAA caseload, almost all breach reports that impact less than 500 individuals are not investigated.

"This issue creates a problem in that if these breach reports were submitted to OCR as complaints by members of the public they would be investigated; however, investigating these reports would result in a more than doubling of OCR's HIPAA workload. The breach reports received to date represent a 109 percent increase in total HIPAA workload. This new workload would be in addition to the nearly 9,400 HIPAA Privacy and Security Rule complaints that OCR investigated in FY 2010. Additional FTEs are critical if OCR is to successfully investigate the estimated 20,000 combined breach reports and HIPAA complaints that are anticipated to be received annually."

OCR's report to justify its budget is available as a PDF here.

This story originally appeared on Health Data Management.