HHS Increases Budget for Cybersecurity and HIPAA Enforcement

The Department of Health and Human Services (HHS) has released the proposed 2025 “Building a Healthy America” budget.  While the HHS budget covers the normal healthcare areas such as Medicare, Medicaid, and public health it also shows an increased focus on cybersecurity and enforcement actions to address failures in cybersecurity.

As is pointed out in the budget overviews, between 2018 and 2022 there was a 95% increase in large data breaches. HHS is investing in its infrastructure for better data protection. $12 million is included for the Administration of Strategic Preparedness and Response to coordinate cybersecurity incident prevention and response.     

For healthcare providers, the budget shows evidence of HHS’s plan to encourage good cybersecurity and penalize those who fail to implement these practices.      

The HHS budget establishes a $1.3 billion Medicare incentive program to encourage hospitals to adopt enhanced cybersecurity practices such as those outlined in the Healthcare Sector Cybersecurity report. While there’s no information yet on how this would be distributed, the funding is encouraging. However, the focus on hospitals indicates that the funding may not address some of the serious cybersecurity risks associated with other elements of our healthcare system such as physician practices and post-acute care. 

The budget also includes an additional $17 million to the HHS Office of Civil Rights for the enforcement of HIPAA violations and to address the backlog of cases. This represents an increase of over 42% from the prior year’s budget. Traditionally, the OCR has funded investigations from fines assessed to organizations. However, a change in the fine structure and a focus on the right of access to PHI have resulted in less funding available to investigate the significant breaches. The last report on the breach backlog in 2022 indicated there were at least 8,000 cases. We can assume that volume has probably grown based on the increase in ransomware and other risks. Traditionally these investigations take a long time to resolve. For example, there have been two settlements announced in 2024 related to incidents from 2015 and 2016. However, the OCR has also indicated it is working to become more proactive. On March 13, they opened an investigation into the recent Change Healthcare cyberattack before receiving the formal report of the incident from Change Healthcare.

As we await further information on both the incentive and enforcement programs, healthcare providers and their business associates must implement good cybersecurity practices. In 2021 the HIPAA Safe Harbor Bill gave us all an incentive to improve our practices by directing the OCR to reduce fines and enforcement efforts for organizations showing they had implemented these practices. Recent developments have shown that bad actors are attacking our data daily. As we have seen from the Change Healthcare incident, the costs of a successful attack can be devastating!

CompliancePoint has a team of healthcare professionals that can help your organizations achieve and maintain compliance with all aspects of HIPAA. Contact us at connect@compliancepoint.com to learn more about our services.