The Department of Health and Human Services Office for Civil Rights announced the launch of three new divisions late Monday that aim to address the funding and staffing constraints that have limited the agency’s investigatory efforts.
Since 2017, the OCR caseload rose to more than 51,000 complaints of possible patient privacy, security, and religious freedom violations. Of those 51,000 cases, 69% were tied to Health Insurance Portability and Accountability Act laws. The agency is tasked with enforcing 55 civil rights, conscience, and privacy statutes.
The reorganization is designed wholly to improve the agency’s “ability to effectively respond to complaints, puts OCR in line with its peers’ structure, and moves OCR into the future,” OCR Director Melanie Fontes Rainer said in the release.
Specifically, OCR is renaming the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to reflect its focus on cybersecurity, including breaches to protected health information. The shift was spurred by the increase in large breaches, which the agency believes will only continue to expand.
To date, hacking incidents account for 80% of the large healthcare data breaches reported to OCR. HIPDC will work to address these health information privacy and cybersecurity concerns.
Further, the agency is reorganizing the current Health Information Privacy, Operations and Resources, Civil Rights and the Conscience and Religious Freedom divisions to reflect areas of experience around policy, strategic planning, and enforcement to improve enforcement efforts.
Complaint resolution can take OCR years to complete
The agency shift will be a welcome change to industry stakeholders who’ve long worried the enforcement constraints were limiting the ability to correct misbehaving covered entities and business associates. Complaints tied to data breach issues, for example can take years for resolution.
The recent Banner Health enforcement action is a prime example of these delays. The $1.25 million civil monetary penalty issued in February stemmed from a 2016 data breach seven years ago.
In contrast, OCR has prioritized patient access rights in the last few years amid the drive for greater interoperability in healthcare. More than 30 enforcement actions have been taken over access rights in the last four years, often within a year of the initial complaint.
To reflect these needed changes, OCR effectively launched its enforcement, policy, and strategic planning divisions to create a “more integrated operational structure for civil rights, conscience protections and privacy protections and cybersecurity protections.” The shift mirrors the make-up of the Department of Education’s Office for Civil Rights.
The new enforcement and policy divisions aim to make better use of the agency’s limited resources, which includes a shift to “a skill set model, where teams are organized by skillset and focus on a full set of legal issues.” OCR believes the approach will support direct engagement between policy, enforcement, and investigations. The model is similar again to DOE.
The standalone division will be led by Luis Perez, “a trust advisor and leader.” Rainer said the department “will provide vital integration between our regional offices and headquarters staff to swiftly investigate and determine appropriate steps” for all complaints filed with OCR. The new structure should enable better use of agency expertise to better protect patient rights.
Lastly, the newly established Strategic Planning Division will coordinate public outreach on OCR’s authorities to protect civil rights, conscience, and health information privacy as well as expand data analytics and coordinate data collection across HHS leadership.