HIPAA Regulatory Alert

HIPAA security enforcement now under HHS OCR

The U.S. Department of Health and Human Services (HHS) is shifting enforcement authority of the HIPAA security rule from the Centers for Medicare & Medicaid Services (CMS) to the HHS Office of Civil Rights. Since 2003, the Office of Civil Rights has overseen enforcement of the HIPAA privacy rule, which protects the confidentiality of patients' health information.

The security rule specifies administrative and technical procedures for safeguarding electronic protected health information. "Privacy and security are naturally intertwined, because they both address protected health information," said HHS Secretary Kathleen Sebelius in a prepared statement. "Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing efficiency."

The change, which took effect July 27, authorized the HHS Office of Civil Rights to impose civil penalties for HIPAA security violations, issue subpoenas related to such investigations, and determine if federal standards preempt related state laws.