HHS shifts the responsibility of Security Rule on OCR

The Department of Health and Human Services (HHS) has made an announcement to the effect that the authority for the administration and enforcement of the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) has been delegated to the Office for Civil Rights (OCR). This step will improve HHS protection of individuals’ health information by “combining the authority for administration and enforcement of the Federal standards for health information privacy and security called for in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).”

Uptil now, enforcement of HIPAA Privacy Rule was the responsibility of the Office for Civil Rights. The Centers for Medicare & Medicaid Services (CMS) had administrative and enforcement responsibility for the HIPAA Security Rule.

HIPAA Privacy complaints include impermissible uses and disclosures of protected health information, lack of safeguards of protected health information, uses or disclosures of more than the minimum necessary protected health information, and lack of or invalid authorizations for uses and disclosures of protected health information.

Gallagher: In February of this year, in the Health Information Technology for Economic and Clinical Health [HITECH] section, the American Recovery and Reinvestment Act of 2009 [ARRA] mandated changes to improve enforcement of the HIPAA Privacy Rule and Security Rules. With this HHS announcement, the combination of responsibility within OCR should make enforcement more efficient because the majority of complaints received include both privacy and security components. If there is a privacy violation, most of the time that is due to a security control that is either violated or not working properly. That’s how the rules become interrelated.