Corporate Compliance

HIPAA Security Rule enforcement now falls under Civil Rights office

Compliance Monitor, August 5, 2009

By Dom Nicastro, for HealthLeaders Media
 
The secretary of HHS shifted enforcement of the HIPAA security rule from CMS to the Office for Civil Rights (OCR), according to a July 27 announcement in the Federal Register.
 
Until now, OCR has enforced only the HIPAA privacy rule, which protects the privacy of patients' health information, and the confidentiality provisions of the patient safety rule, which protects PHI from being used to analyze patient safety events and improve patient safety.
 
The security rule–published in the Federal Register on February 20, 2003–specifies a series of administrative, technical, and physical security procedures for covered entities to assure the confidentiality of electronic protected health information (e.g., encryption standards).
 
"I think it's smart for HHS to merge the enforcement responsibilities," says Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP. "But I don't think this signals a watershed shift in enforcement strategy." 
 
The announcement by HHS Secretary Kathleen Sebelius comes as Congress this year helped move a bill through that supports stronger enforcement of HIPAA laws and greater compliance duties from entities who handle PHI.
 
The Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law by President Barack Obama February 17, 2009, calls for: 
  • New security breach notification requirements
  • HIPAA security rule compliance for business associates who handle PHI
  • Contract revisions between covered entities and business associates
  • Definition of "unsecure protected health information"
  • Expanded criminal penalties and higher monetary penalties
  • Power to state attorneys general to pursue HIPAA civil cases
  • Restricted access to some PHI 
Drummond says there will be more of an impact from the provisions in the HITECH Act that give state attorneys general the ability to pursue HIPAA violations.
 
"It never made sense for privacy enforcement and security enforcement to be split up into different agencies," Drummond says. "The new enforcement provisions in [HITECH] were probably the impetus for making the change now. Why OCR instead of CMS? Maybe because OCR has been more visible on the enforcement front and already has more infrastructure to do it, or maybe HHS knew it had to respond to the folks who decried lax enforcement, but was ultimately happy with the way OCR had approached it so far."

Most Popular