HHS Secretary Kathleen Sebelius announced on August 3rd that authority for the administration and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule has been delegated to the Office for Civil Rights (OCR). Previsouly, the Centers for Medicare & Medicaid Services (CMS) had been delegated this task.  The aim of consolidating the administration of the HIPAA Security Rule with OCR is to “eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected.”

OCR has been responsible for the administration of the HIPAA Privacy Rule since 2003.  The Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of the Privacy Rule and the Security Rule.

“Security and privacy of health information are increasingly intersecting as the department works with the health industry to adopt electronic health records and participate in an even greater level of electronic exchange of health information,” said Secretary Sebelius. “Privacy and security are naturally intertwined, because they both address protected health information. Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing efficiency.”

For more information click here.