Today the US Department of Health and Human Services (HHS) announced that the OCR will now be responsible for both the HIPAA Privacy Rule and the Security Rule.
Perhaps this is an indicator of more enforcement to come. As a quick review…
- On August 21, 1996, the U.S. Congress enacted the Health Insurance Portability and Accountability Act (HIPAA).
- The HIPAA Privacy Rule went into effect in April 2001, and gave covered entities (CEs) two years to meet compliance.
- The HIPAA Security Rule went into effect in April 2003 and CEs had until April 2005 to get into compliance.
- As of August 24, 2007, the Centers for Medicare & Medicaid Services (CMS), responsible for the HIPAA Security Rule enforcement, and the Office for Civil Rights (OCR), responsible for HIPAA Privacy Rule compliance, had not even established any policies or procedures for conducting compliance reviews at CEs. This even though a significant number of HIPAA complaints had been received.
To date, unless I’ve missed something recently, there have only been two fines/penalties applied, and they both came from the OCR.
- 02/18/09 CVS pharmacies improper disposal of PHI; penalty: $2.25 million + information security improvements + ongoing audits
- 07/2008 Providence Health & Services for loss of electronic backup media and laptop computers containing individually identifiable information; penalty: $100,000 + implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard individually identifiable health information and electronic patient information against theft or loss
NOTE: for more info about the history of HIPAA felony judgments, fines and penalties see my article from early this year, “HIPAA felony convictions, sanctions and upcoming trends“
Through the end of December, 2008 the OCR had received 41,807 HIPAA complaints, with 6,019 (14%) of the total still open. Upon a quick check, I couldn’t find any more recent data.
CMS was actually doing a better job of keeping enforcement stats up to date, but their reports are a bit confusing. If I’m reading them correctly, as of June 30, 2009, CMS had received 1,472 complaints and still had 71 (5%) of the total still open.
In the statement, HHS Secretary Kathleen Sebelius said the reassignment “will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected.”
No kidding! From the very beginning I’ve seen huge confusions in organizations not only because of having a Privacy Rule and a separate Security Rule…they both should have been a combined regulation…but by having two separate oversight agencies, many CEs thought that meant they had to have separate internal departments responsible for compliance; with the Privacy Rule largely the responsibility of privacy office and the legal counsel, and the Security Rule the responsibility of the information security office and IT. Often wholly resulting in confusion and chaos!
It’ll make it much less confusing, not only for CEs and BAs, but also for the oversight agencies, and hopefully more effective for more active enforcement actions.
I’ll watch this closely to see how any audits, fines and penalties evolve as both rules are now under the governance of just the OCR.
All in all; this change is a good thing, and long overdue.
Here is the full text of the Federal Register notice where the reassignment of responsibility is made:
“Part F of the Statement of Organization, Functions, and Delegations of Authority of the Department of Health and Human Services, Centers for Medicare & Medicaid Service (CMS), 68 FR 60694, dated October 23, 2003, is superseded to include the following delegation of authority from the Secretary to the Administrator, CMS, with the authority to redelegate, to carry out the following administrative and enforcement activities invested in the Secretary of the Department of Health and Human Services under part C, of title XI of the Social Security Act, as amended.
• Section F.30., Delegations of Authority, is superseded to include the following delegation of authority for certain provisions under part C, of title XI of the Social Security Act. WW. 1. The authority under section 262 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, as amended, except to the extent these actions pertain to the “Security Standards for the Protection of Electronic Protected Health Information,” or the “Standards for Privacy of Individually Identifiable Health Information” at 45 CFR, part 160 and part 164, subparts A, C, and E to:
A. impose civil money penalties under section 1176 of the Social Security Act for a covered entity’s failure to comply with certain requirements and standards;
B. issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence that relates to any matter under investigation or compliance review for failure to comply with certain requirements and standards; and
C. make exception determinations, under section 1178(a)(2)(A) of the Social Security Act, concerning when provisions of State laws that are contrary to the Federal standards are not preempted by the Federal provisions.
2. The authority under section 262 of HIPAA, Public Law 104-191, as amended, to administer and to make decisions regarding the interpretation, implementation and enforcement of the regulations adopting standards and general administrative requirements under 45 CFR, part 160 and part 162, except to the extent these actions pertain to the “Security Standards for the Protection of Electronic Protected Health Information,” or the “Standards for Privacy of Individually Identifiable Health Information” at 45 CFR, part 160 and part 164, subparts A, C, and E.
Exclusion to This Authority
All actions under Part C of Title XI of the Social Security Act that pertain to “Security Standards for the Protection of Electronic Protected Health Information” or the “Standards for Privacy of Individually Identifiable Health Information”, were delegated by the Secretary to the Director, Office for Civil Rights, and are excluded from this delegation. This delegation to the Administrator also excludes the authority to issue regulations and to hold hearings and issue final determinations if the respondent has requested a hearing on the imposition of civil monetary penalties. This delegation shall be exercised under the Department’s existing delegation of authority and policy relating to regulations. This delegation supersedes the memorandum from the Secretary to the Administrator, Centers for Medicare & Medicaid Services, dated October 7, 2003, titled “Delegation of Authority for Certain Provisions Under Part C of Title XI of the Social Security Act.” I hereby affirm and ratify any actions taken by the Administrator of CMS or his/her subordinates which involved the exercise of the authority delegated herein prior to the effective date of this delegation. This delegation is effective immediately.”
Tags: awareness and training, breach law, breach notification, breach response, HIPAA, HITECH Act, Information Security, IT compliance, IT training, patient privacy, personally identifiable information, PII, policies and procedures, privacy training, security training