Health Information Management

OCR: The HIPAA enforcer?

HIM-HIPAA Insider, August 10, 2009

You know the "what" when it comes to HIPAA privacy and security enforcement: New federal laws this year include larger monetary fines, periodic audits, civil-suit authority to state attorneys general, and new HIPAA Security Rule compliance to business associates (BAs) of covered entities.

You now know the "who": The Office for Civil Rights (OCR), long the HIPAA Privacy Rule warden, inherits the security rule per a July 27 announcement by HHS Secretary Kathleen Sebelius.

But for covered entities, "when" and "how much" remain the bigger questions. When will this stepped-up enforcement arrive? And how regular will it be?

"I think the initial intent is to combine privacy and security investigations, audits, etc., in one division given [that] many security violations/breaches lead to privacy breaches," says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR. "It's logical that there be one enforcement shop for privacy and security. As far as what it means on the auditing side, that's likely not something we will know until next year."

Get more analysis on our HIPAA Update blog.

Most Popular