HHS announced Tuesday it is expanding its privacy enforcement team with two HIPAA "privacy specialists" who will help the public better understand their rights under HIPAA and enforce compliance among covered entities and business associates.
The jobs–called "senior health information privacy outreach specialists"–were opened Tuesday and will remain as such until August 31, according to usajobs.com.
The new hires will operate under the Office for Civil Rights (OCR), which enforces the HIPAA Privacy Rule and Security Rule and the confidentiality provisions of the Patient Safety and Quality Improvement Act through its Division of Health Information Privacy; HIPAA Security came under OCR’s umbrella on July 27.
The $120,000 to $150,000 positions will report to the deputy director for Health Information Privacy and the OCR director.
The news comes a little less than a month after HHS announced it would advertise a position for two "Health Information Privacy Specialists." Those positions, according to the job posting at the time, are "responsible for reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR's authority for ensuring compliance with the privacy of health information."
The jobs posted a month ago seem to be in-house policy-makers, while the duties for the jobs opened this week are about public education and enforcement.
As for the positions advertised this week, they are to provide the "functional leadership, oversight, supervision, and coordination necessary to plan, coordinate, and execute activities necessary to provide outreach, public education, and technical assistance on the requirements of the Privacy Rule and Patient Safety to increase public awareness of rights and protections under these authorities and the responsibilities of entities to comply with these authorities."
Frank Ruelas, of HIPAA Boot Camp, says the recent moves by HHS–to move security under OCR and to add these new positions–may signal that "we are seeing a methodical evolution of enforcement from a reactive position to one of a proactive position."
"Previously, the enforcement process has been primarily complaint driven and also reflective of voluntary compliance on the part of covered entities," Ruelas adds. "With the recent HITECH Act, the pool of potential complainants will likely increase as will reporting by covered entities given the reporting requirements the HITECH Act."
The Office of the National Coordinator for Health Information Technology issued a report May 18 that highlights how it will carry out HIPAA privacy and security regulations in the HITECH Act.
According to HHS, the federal government will spend about $24.3 million on privacy and security efforts, including:
- Audits
- Reports to Congress
- Training for state attorneys general
- Carrying out regulatory and enforcement requirements of HITECH
"Clearly it would be easy to argue that the recent activity by the OCR to increase its enforcement capabilities, especially in these difficult economic times, is a signal that changes with respect to enforcement are likely looming on the horizon," Ruelas says. "Couple this with the recent delegation by CMS to OCR for enforcement of the HIPAA Security regulation, and one has to realize that the status quo has certainly been altered from an enforcement perspective."