Live Webinar | Operations and Other Technology
Live Webinar | Operations and Other Technology
Live Webinar | Patient Financial Communications
Blog | Enterprise Risk Management

Healthcare News of Note: More Office for Civil Rights funding could boost HIPAA enforcement

Blog | Enterprise Risk Management

Healthcare News of Note: More Office for Civil Rights funding could boost HIPAA enforcement

  • As hackers continue to attack healthcare organizations and steal the medical information of tens of millions of people in the U.S. every year, the underfunded and understaffed Office for Civil Rights struggles with an overflowing caseload, according to a Politico article.
  • Inequities in the U.S. health system cost approximately $320 billion today and could eclipse $1 trillion in annual spending by 2040 if left unaddressed, according to an analysis by Deloitte actuaries.
  • Primary care physicians do not have enough time to provide the care required to comply with guidelines, according to a recent study.

Over the last few weeks, I have found these industry news stories that should be of interest to healthcare finance professionals.     

1. Politico: Cyberattacks on healthcare organizations overwhelm Office for Civil Rights

As hackers continue to attack healthcare organizations and steal the “medical information of tens of millions of people in the U.S. every year,” the underfunded and understaffed Office for Civil Rights (OCR) struggles “with an overflowing caseload,” according to an Aug. 28 Politico article.

OCR, “which is tasked with investigating breaches, helping health care organizations bolster their defenses, and fining them for lax security, is poorly positioned to help … and Congress has given it few resources to do the job,” wrote author Ben Leonard.

“Another problem is that the office relies on the cooperation of the victims, the institutions that hackers have targeted, to provide evidence of the crimes,” wrote Leonard. “Those victims may sometimes be reluctant to report breaches, since HHS could then accuse them of violating HIPAA and levy fines that come on top of costs stemming from the breach and the ransoms often demanded by the hackers.”

Just what would a budget increase fund?

But providing more funding for OCR — a roughly 58% budget increase in FY23, to $60 million, has been proposed by the Biden administration — isn’t all that’s needed if you ask hospital and health system advocates, according to the article.  

Leonard wrote, “Advocates for victims want to be sure those new hires would favor helping them prevent future attacks over penalizing them for failing to stop past ones.

“For the most part, that’s what the office does, but fines are always a possibility and [Melanie] Fontes Rainer [acting OCR director] said more resources will yield more enforcement that will encourage health care organizations to meet their obligations under HIPAA. Tim Noonan, a high-ranking official under Fontes Rainer, also expects it will bolster the agency’s ability to offer guidance and technical assistance.”

Cybersecurity by the numbers

The article also provided statistics on cybersecurity issues faced by healthcare organizations and the people affected by those breaches:

  • More than two-thirds of healthcare organizations had a “significant incident” in 2020 — mostly phishing or ransomware attacks, according to a 2021 survey by the Healthcare Information and Management Systems Society.
  • Health data breaches have impacted 113 million people since 2020, according to OCR data.
  • As of Aug. 25, the records of 28.6 million people were obtained by hackers in 2022, and the number is projected to rise to 53 million by the end of the year, per OCR data.

2. Processes stakeholders can use to help quell the cost of health inequities

“Inequities in the US health system cost approximately $320 billion today and could eclipse $1 trillion in annual spending by 2040 if left unaddressed,” according to results of work by Deloitte actuaries published June 22 in a Deloitte Insights article.

To determine the cost of health inequities, Deloitte’s actuarial team developed a model to quantify the link between healthcare spending and healthcare disparities related to race, socioeconomic status and sex/gender, and analyzed several high-cost diseases, according to the article.

“If left unaddressed, health inequities and the additional $1 trillion in overall spending can have profound implications for people, organizations, and the world,” wrote the authors. “Health care costs likely will rise to an unsustainable level, resulting in unaffordable bills and declining health and productivity for the population.”

What industry stakeholders can do

The authors encouraged stakeholders to take immediate action “to mitigate these future consequences,” offering five underlying processes to consider. Among them:

  • Be intentional: Infusing equity-centered thinking into business choices should be prioritized to build wellness-focused, outcomes-driven prevention and delivery systems that seek to serve everyone, regardless of race, ethnicity and socioeconomic status.
  • Form cross-sector partnerships: To truly enable health equity, organizations should form partnerships across the industry. Change likely will require contributions from current actors, new actors and the government.
  • Address individual and community-level barriers: Up to 80% of health is affected by social, economic and environmental factors. These social determinants of health include physical environment, food, infrastructure, economy, wealth, employment, education, social connections and safety.

3. Primary care physicians need more hours in the day to provide recommended care

“PCPs [primary care physicians] do not have enough time to provide the guideline-recommended primary care” required of them, according to a study published July 1 in the Journal of Internal Medicine.

The researchers, who conducted a simulation study where preventive and chronic disease care guidelines were applied to hypothetical patient panels, determined PCPs would need 26.7 hours a day to provide such care. The 26.7-hour day would be composed of:

  • 14.1 hours for preventive care
  • 7.2 hours for chronic disease care
  • 2.2 hours for acute care
  • 3.2 hours for documentation and inbox management

“With team-based care the time requirements would decrease by over half, but still be excessive,” the researchers wrote, adding that team-assisted PCPs were estimated to require a 9.3-hour day. The study showed such a day would be comprised of:

  • 2.0 hours per day for preventive care
  • 3.6 hours per day for chronic disease care
  • 1.2 hours per day for acute care
  • 2.6 hours per day for documentation and inbox management

HFMA bonus content

  • Read the September issue of hfm magazine, including the cover story “Revenue cycle automation helps health systems regain financial footing during COVID-19 and beyond.”
  • Listen to the latest Voices in Healthcare Finance podcast episode, “Ensuring your patients and staff are prepared for the next disaster.”
  • Read the Q&A “Improved access and quality of care are keys to solving the nation’s mental illness,” featuring Thomas Young, MD, a long-time advocate for improving mental health in the United States.


About the Author

Deborah Filipek

is a senior editor at HFMA, Downers Grove, Ill.

Sign up for a free guest account and get access to five free articles every month.


Related Articles | Enterprise Risk Management

Column | Healthcare Business Trends

Paul Keckley: Inflation’s impact on healthcare: 5 takeaways

For healthcare finance professionals, healthcare inflation requires intensified efforts to address five concerns: increased bad debt, increased operating costs, heightened public scrutiny of pricing policies and executive compensation, increased competition by privately funded competitors offering low-cost solutions and growth of “Occupy Healthcare” movements.

Blog | Enterprise Risk Management

Federal government, American Hospital Association issue warnings and guidance about cybersecurity threats stemming from the conflict in Ukraine

The potentially heightened risk stems from the possibility both of being targeted directly and being impacted by malware that spreads from other sectors.

Article | Cost Effectiveness of Health

5 ways the ERM playbook for health systems is due for a rewrite

Business risk for health systems has continued to evolve amid huge changes affecting the industry, including those driven by COVID-19. Health system leaders should respond by revisiting their approach to enterprise risk management (ERM) to focus on five areas of risk where their ability to deliver healthcare cost effectively could be compromised: Labor shortages, capital planning amid ongoing change, energy consumption, cyber security and price transparency.

How To | Cost Effectiveness of Health

4 essential tactics for sustaining an independent community hospital

Independent community hospital face threats to their survival, and they need to take deliberate action to address those threats in order to continue to deliver essential care cost effectively to their communities. Leading community hospitals that are committed to remaining independent share the tactics they have adopted to ensure their independence is sustainable