Today, the U.S. Department of Health and Human Services ("HHS") and Centers for Medicare & Medicaid Services ("CMS") announced that the Health Insurance Protection and Accountability Act of 1996 ("HIPAA") Security Rule[1]  will be administered, monitored and enforced by the Office of Civil Rights ("OCR").   Such oversight also includes all additional health information technology related security and privacy responsibilities set forth under the American Recovery and Reinvestment Act of 2009 ("ARRA"). 

 

 The announcement was published through a notice today at the Office of the Federal Register, Public Inspection Desk (the "Notice") and is scheduled to be published in the Federal Register on August 4, 2009.  The Notice is available online at: http://www.federalregister.gov/OFRUpload/OFRData/2009-18561_PI.pdf.

 

 Previously, CMS retained authority for administering, monitoring and enforcing the HIPAA Security Rule through the CMS Office of E-Health Standards and Services ("OESS") and the OCR administered, monitored and enforced the HIPAA Privacy Rule[2] . 

 

 According to the Notice, effective immediately, the OCR will receive authority to administer, monitor, and enforce both the HIPAA Privacy Rule and the HIPAA Security Rule in addition to all of the new privacy and security requirements prescribed by the ARRA (e.g. privacy and security for electronic health records). 

 

 Historically after enactment of the HIPAA Privacy Rule and HIPAA Security Rule (the "Rules"), OCR and CMS worked together on enforcement of the Rules.  In the near future ARRA will require additional security measures for health information contained in electronic health records; therefore, it's likely that HHS is attempting to consolidate its monitoring and enforcement efforts within a single agency like OCR.  As health systems continue to implement electronic health records and participate in regional health information exchanges, efforts to have a single agency administer, monitor and enforce the HIPAA Rules appears to make sense.  As more patient health information goes from paper to electronic form, a single agency concept seems sensible because many current HIPAA complaints implicate aspects of both the Privacy and Security Rule and future complaints are likely to follow this trend. 

 

Clark Hill's Health Care Team can assist your organization with any one or more of the following:

 

� Development of HIPAA Polices;
� Review and analysis of your organizations current HIPAA Policies;
� Staff, Management, and Board Training regarding HIPAA;
� Advice, counsel and defense regarding privacy breach claims; and;
� Assistance with privacy complaints and OCR investigations.

 

 If your organization has questions about HIPAA and the impending regulatory changes addressed in the ARRA, please contact Gregory W. Moore directly at (248) 988-5842 or by email at gmoore@clarkhill.com or contact Michael W. Matthews directly at (248) 988-5870 or by email at mmatthews@clarkhill.com.

 

[1] The HIPAA Security Rule is located at 45 CFR Parts 160, 162, and 164.

To find out more about Clark Hill and our Health Care Practice Group, visit clarkhill.com or call 800.949.3124