Sebelius Shifts HIPAA Security Rule Enforcement to Civil Rights Office

The Health Information for Economic and Clinical Health (HITECH) Act, signed into law by President Barack Obama February 17, 2009, calls for:

• New security breach notification requirements


• HIPAA Security Rule compliance for business associates who handle PHI


• Contract revisions between covered entities and business associates


• Definition of "unsecure protected health information"


• Expanded criminal penalties and higher monetary penalties


• Power to state attorneys general to pursue HIPAA civil cases


• Restricting access to some PHI

Will giving OCR the security rule have a great effect on enforcement?

Drummond says there will be more of an impact from the provisions in the HITECH that give state attorneys general the ability to pursue HIPAA violations.

"It never made sense for privacy enforcement and security enforcement to be split up into different agencies," Drummond says. "The new enforcement provisions in [HITECH] were probably the impetus for making the change now. Why OCR instead of CMS? Maybe because OCR has been more visible on the enforcement front and already has more infrastructure to do it, or maybe HHS knew it had to respond to the folks who decried lax enforcement, but was ultimately happy with the way OCR had approached it so far."