HHS Reassignment Of HIPAA Enforcement Duties Signals Rising Seriousness of Enforcement Commitment

August 3, 2009

The Department of Health & Human Services (HHS) today (August 3, 2009) transferred authority for the administration and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to the Office for Civil Rights (OCR).  Prior to this announcement, responsibility for interpretation and enforcement of the Security Rule rested with the Centers for Medicare & Medicaid Services (CMS).  The change reflects the growing seriousness of HHS and others about enforcing federal privacy and data security mandates for health information.  HHS anticipates the transfer of authority will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected.

HHS has the authority for administration and enforcement of the federal standards for health information privacy called for in HIPAA. The Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. OCR has been responsible for enforcement of the Privacy Rule since 2003. The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of the Privacy Rule and the Security Rule.

Through a separate delegation, CMS continues to have authority for administration and enforcement of the HIPAA Administrative Simplification regulations, other than privacy and security of health information.

The transfer of Security Rule enforcement authority comes as guidance about new data breach rules for electronic protected health information is impending.  This impending guidance relates to  the implementation of new breach notification rules for covered entities and their business associates concerning their obligation to use of technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by amendments to HIPAA enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA) last February.  OCR officials have stated that they are working to publish the next set of regulations regarding these new breach notifications before the end of August, 2009. 

In addition to adding the breach notification requirements, the HITECH Act also tightened the HIPAA mandates in several other respects.  Among other things, it amended HIPAA to:

  • Broaden the applicability of the HIPAA’s Privacy Rules and penalties to include business associates;
  • Clarify that HIPAA’s criminal sanctions apply to employees or other individuals that wrongfully use or access PHI held by a covered entity;
  • Increase criminal and civil penalties for HIPAA Privacy Rules violators;
  • Allow State Attorneys General to bring civil damages actions on behalf of certain state citizens who are victims of HIPAA Privacy and Security Rule violations;
  • Modify certain HIPAA use and disclosure and accounting requirements and risks;
  • Prohibits sales of PHI without prior consent;
  • Tighten certain other HIPAA restrictions on uses or disclosures;
  • Tighten certain HIPAA accounting for disclosure requirements;
  • Clarify the definition of health care operations to excludes certain promotional communications; and
  • Expand the Business Associates Agreement Requirements.

These and other developments make it imperative HIPAA covered entities and their business associates take prompt action to immediately review and update their data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws. Covered entities must update policies and practices to avoid these growing liabilities. Business associates that have not already done so also must appoint privacy officers and adopt and implement privacy and data security policies and procedures fully compliant with HIPAA and other applicable federal and state rules, including amendments enacted as part of the American Recovery and Reinvestment Act of 2009 signed into law on February 17, 2009.

For more information about today’s announcement, see here.  See here for the initial guidance and request for comments issued by HHS regarding these new security standards.

Chair Elect of the American Bar Association RPTE Employee Benefits & Compensation Committee, an ABA Joint Committee on Employee Benefits  Council member, and Chair of the Curran Tomko Tarski Labor, Employment & Employee Benefits Practice, Cynthia Marcotte Stamer is  nationally and internationally recognized for her work assisting businesses, employee benefit plan fiduciaries and vendors, governments, and other entities to develop administer and defend cost-effective employee benefit other human resources programs, policies and procedures to meet their budgetary, risk management and compliance and other objectives.  Board certified in Labor & Employment law, Ms. Stamer applies her extensive experience regarding employment, employee benefit, tax, privacy and data security and other related laws to assists clients in a wide range of business and litigation contexts.   The co-founder of the Solutions Law Consortium, Ms. Stamer also makes extensive use of cloud computing and other technology in her own practice and provides input to human resources and other clients others about the use of these and other technology tools to manage employee benefit, human resources, internal controls and other operations.  In connection with this work, Ms. Stamer has works, writes and consults extensively with a diverse range of clients about  the development, use technology and other processes to streamline health and other benefit, payroll and other human resources, employee benefits, tax, compliance and other business processes and the management and protection of sensitive personal and other information and data.

If your organization or employee benefit plan needs assistance managing or evaluating options or responsibilities associated with the use of technology and data in connection with its health care, employee benefits, tax or other operation or other human resources, employee benefits or and compliance concerns, please contact Ms. Stamer at cstamer@cttlegal.com, (214) 270-2402; or your favorite Curran Tomko Tarski, LLP attorney.  For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi, LLP team, see here.

More Information & Resources

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here /the Curran Tomko Tarski LLP attorneys here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information to Cstamer@CTTLegal.com or registering to participate in the distribution of these and other updates on our Solutions Law Press HR & Benefits Update distributions here. For important information concerning this communication click here.    If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@SolutionsLawyer.net.

©2009 Cynthia Marcotte Stamer. All rights reserved.