On August 3 the HHS Secretary Kathleen Sebelius announced that authority for the administration and enforcement of the HIPAA Security rule will now be delegated to the Office for Civil Rights (OCR). The Security Rule was previously administered and enforced by CMS.  According to a press release issued by HHS, the delegation of both rules to the OCR will avoid duplication and improve efficiencies.  As Ms. Sebelius explained, “[P]rivacy and security are naturally intertwined, because they both address protected health information.  Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing efficiency.” 

The HIPAA Privacy Rule issues federal protections for ”protected health information” held by covered entities, and the OCR has been in charge of the enforcement of this rule since 2003.  The Security Rule requires similar administrative, technical, and physical security safeguards that are specific to protected health information that is in electronic form. 

The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) mandated improved enforcement of the Privacy Rule and Security Rule.  

The news release can be accessed here.