Office for Civil Rights to Hire HIPAA Privacy Enforcers

Frank Ruelas, of HIPAA Boot Camp, says the recent moves by HHS–to move security under OCR and to add these new positions–may signal that "we are seeing a methodical evolution of enforcement from a reactive position to one of a proactive position."

"Previously, the enforcement process has been primarily complaint driven and also reflective of voluntary compliance on the part of covered entities," Ruelas adds. "With the recent HITECH Act, the pool of potential complainants will likely increase as will reporting by covered entities given the reporting requirements the HITECH Act."

The Office of the National Coordinator for Health Information Technology issued a report May 18 that highlights how it will carry out HIPAA privacy and security regulations in the HITECH Act.

According to HHS, the federal government will spend about $24.3 million on privacy and security efforts, including:

• Audits


• Reports to Congress


• Training for state attorneys general


• Carrying out regulatory and enforcement requirements of HITECH

"Clearly it would be easy to argue that the recent activity by the OCR to increase its enforcement capabilities, especially in these difficult economic times, is a signal that changes with respect to enforcement are likely looming on the horizon," Ruelas says. "Couple this with the recent delegation by CMS to OCR for enforcement of the HIPAA Security regulation, and one has to realize that the status quo has certainly been altered from an enforcement perspective."