Office of the Secretary, Office for Civil Rights
The Office for Civil Rights ensures equal, nondiscriminatory access to and receipt of all HHS services and the protection of privacy and security of health information, thereby contributing to HHS’s overall mission of improving the health and well being of all Americans affected by its many programs.
OCR Budget Overview
(Dollars in millions)
The Office for Civil Rights ensures equal, nondiscriminatory access to and receipt of all the Department’s services and the protection of privacy and security of health information, thereby contributing to the Department’s overall mission of improving the health and well‑being of all Americans affected by its many programs.
The FY 2017 Budget for the Office for Civil Rights (OCR) is $43 million, an increase of $4 million over FY 2016. The increase will support OCR’s audit program which was mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The audit program will offer a new tool to help ensure Health Insurance Portability and Accountability Act (HIPAA) compliance by covered entities and business associates, while also informing OCR on areas in which to direct its enforcement and technical assistance. OCR will further use the increase to support enforcement of Section 1557 of the Affordable Care Act. OCR’s FY 2017 Budget will also modernize HIPAA protections, support innovation in healthcare, ensure adequate protections in new programs and technologies, streamline requirements to make them less burdensome, and evaluate new areas where HIPAA does not currently apply.
OCR resolves over 4,500 discrimination complaints annually, conducts compliance reviews, and enforces various federal civil rights laws and regulations. These include protections against discrimination on the basis of race, color, national origin, disability, age, and sex in Department-funded programs and certain federal, state, and local government programs. In addition, under Section 1557 of the Affordable Care Act, OCR has enforcement authority with respect to race, color, national origin, disability, age, and sex discrimination in health programs that receive financial assistance or are administered by the Department or any entity established under Title I of the Affordable Care Act.
Other Compliance Activities
In addition to its direct enforcement responsibilities under federal anti-discrimination laws, OCR reviews nearly 2,500 Medicare provider applicants a year to assess compliance with federal civil rights requirements. Through its current formal agreements with 54 health care corporations, OCR ensures ongoing compliance in more than 4,600 facilities that serve over 11 million patients annually.
OCR also works with its federal agency partners to ensure that language assistance services are available to limited English proficient individuals, including with regard to services under the Affordable Care Act and other activities conducted by the Department.
In addition, OCR provides technical assistance and education to states and its federal agency partners to ensure compliance with the Americans with Disabilities Act. OCR disseminates information, creates virtual learning communities, works on guidance documents, and provides webinars on topics such as housing and Medicaid services that provide individuals with disabilities opportunities to live in their communities.
OCR administers and enforces the HIPAA Privacy, Security, and Breach Notification Rules. OCR is responsible for policy development through the issuance of regulations and guidance. OCR also provides outreach and technical assistance to the regulated community to ensure covered entities and business associates understand their compliance obligations and to the public to increase individuals’ awareness of their HIPAA rights and protections.
OCR enforces the HIPAA Rules by investigating complaints and conducting compliance reviews of alleged violations of the HIPAA Rules, providing technical assistance and obtaining corrective actions, as well as entering into resolution agreements or issuing civil monetary penalties, where appropriate. OCR resolved more than 16,000 complaints of alleged HIPAA violations in FY 2015.
Settlements and Civil Monetary Penalties
OCR has authority to enter into resolution agreements that include payment of a resolution amount and corrective action plans, as well as imposing civil monetary penalties for violations of the HIPAA Rules. OCR retains and expends these collections to support overall HIPAA enforcement activities.
HIPAA Audit Program
The HITECH Act mandates that OCR conduct periodic audits to assess entity compliance with HIPAA. OCR has conducted a pilot program to ensure that its audit functions could be performed in the most efficient and effective way. OCR plans to conduct comprehensive and desk audits of covered entities and business associates. Audits are a proactive approach to evaluating and ensuring HIPAA privacy and security compliance. The audit program will offer a new tool to help ensure HIPAA compliance by covered entities and business associates while also informing OCR on areas in which to direct its enforcement and technical assistance.
Section 1557 Enforcement
Section 1557 of the Affordable Care Act prohibits discrimination on the basis of sex. OCR is working to finalize a regulation which will educate consumers about their rights and covered entities about their responsibilities. The regulation will spell out the new prohibitions on sex discrimination in detail and also comprehensively compile in a single place the standards we apply to evaluate claims of discrimination based on race, national origin, disability and age. This initiative increases OCR’s enforcement capacity due to the anticipation of a high volume of new cases that will be immensely complex in that they involve novel issues of law and complicated facts.
Modernizing HIPAA in Supporting Innovation in Healthcare
Since the issuance of the HIPAA rules, there have been significant advances and innovations in health information technology, health delivery systems, and health research. This initiative will focus efforts to modernize the health information privacy and security protections paradigm, while enabling further advances in health care, research, and technology that will improve health outcomes and improve the ability to detect and prevent cyber-attacks. This initiative also encompasses efforts to streamline HIPAA requirements to make them less burdensome—while at the same time ensuring robust enforcement—and to evaluate new areas where HIPAA does not currently apply.