HIPAA Enforcement

CMS had taken limited actions to ensure that covered entities adequately implement the HIPAA Security Rule. These actions had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities. Although authorized to do so by Federal, regulations as of February 16,2006, CMS had not conducted any HIPAA Security Rule compliance reviews of covered entities. To fulfill its oversight responsibilities, CMS relied on complaints to identify any noncompliant covered entities that it might investigate. As a result, CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI was being adequately protected.

It appears HHS has taken this critique to heart.  HHS recently released notice of an important shift in the internal responsibility/delegation of authority for the monitoring and enforcement of the HIPAA Security Rule (and all additional health IT-related security responsibilities, under ARRA).  Previously responsibility for administering (interpretation, education, guidance, FAQs, etc), monitoring and enforcing the HIPAA Security Rule was a CMS responsibility (specifically, the CMS Office of E-Standards and Services or CMS/OESS).  The administration, monitoring and enforcement of the HIPAA Privacy Rule fell under the Office for Civil Rights (OCR).

As of July 27, 2009 CMS no longer will handle enforcement of the HIPAA Security Rule.  HHS has made the decision to transfer the responsibility to OCR, which will now have the administrative and enforcement authority for both the HIPAA Privacy and HIPAA Security Rules, in addition to all the new ARRA provision on privacy and security (covering security of EHRs).  The Notice will be officially published August 4, 2009 in the Federal Register. (http://www.federalregister.gov/OFRUpload/OFRData/2009-18561_PI.pdf)

Over the past few years since the enactment of both HIPAA Rules, OCR and CMS have worked together on the administration and enforcement of the two rules.  According to their accounting of complaints and cases brought forward, the majority included both Privacy and a Security component.  In addition, the ARRA will result in increased security and enforcement of personal health information on EHRs, it seems HHS thought it would be the right time to make this transition and have a single office within the agency handle both related areas.

It is expected that people will be able to continue filing complaints through the same online system and that during a transition period, CMS will continue to work and now assist OCR in administering the Security enforcement responsibilities, as well as the administration of the Rule.  Increased enforcement is extremely likely.

          

HHS Tranfers Enforcement of the HIPAA Security Rule to OCR (Office of Civil Rights) originally appeared on Law Blog 2.0 on August 5, 2009.