The secretary of HHS shifted enforcement of the HIPAA Security Rule from CMS to the Office for Civil Rights (OCR), according to an HHS announcement published Tuesday in the Federal Register.
Until now, OCR has enforced only the HIPAA Privacy Rule, which protects the privacy of patients' health information and the confidentiality provisions of the Patient Safety Rule, which protect PHI from being used to analyze patient safety events and improve patient safety.
The security rule–published in the Federal Register on February 20, 2003–specifies a series of administrative, technical, and physical security procedures for covered entities to assure the confidentiality of electronic protected health information (i.e., encryption standards).
"I think it's smart for HHS to merge the enforcement responsibilities," says Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP. "But I don't think this signals a watershed shift in enforcement strategy."
The announcement by HHS Secretary Kathleen Sebelius comes as Congress this year helped move a bill through that supports stronger enforcement of HIPAA laws and greater compliance duties from entities who handle PHI.
The Health Information for Economic and Clinical Health (HITECH) Act, signed into law by President Barack Obama February 17, 2009, calls for:
- New security breach notification requirements
- HIPAA Security Rule compliance for business associates who handle PHI
- Contract revisions between covered entities and business associates
- Definition of "unsecure protected health information"
- Expanded criminal penalties and higher monetary penalties
- Power to state attorneys general to pursue HIPAA civil cases
- Restricting access to some PHI
Will giving OCR the security rule have a great effect on enforcement?
Drummond says there will be more of an impact from the provisions in the HITECH that give state attorneys general the ability to pursue HIPAA violations.
"It never made sense for privacy enforcement and security enforcement to be split up into different agencies," Drummond says. "The new enforcement provisions in [HITECH] were probably the impetus for making the change now. Why OCR instead of CMS? Maybe because OCR has been more visible on the enforcement front and already has more infrastructure to do it, or maybe HHS knew it had to respond to the folks who decried lax enforcement, but was ultimately happy with the way OCR had approached it so far."