[Wg-p3] Fwd: HHS/CMS Announces Shift in Enforcement of HIPAA Security Rule

Brett McDowell email at brettmcdowell.com
Mon Aug 3 14:31:27 PDT 2009

I thought members of this WG would want to know about this development.

BTW, I asked Walter if I could forward the message (given his email
footer I wasn't sure).  He told me I could and should forward it with
whomever I wish, and I pass that license off to you as well :-)

Brett McDowell | +1.413.652.1248 | http://KantaraInitiative.org

---------- Forwarded message ----------
From: walter.suarez <walter.suarez at sga.us.com>
Date: Mon, Aug 3, 2009 at 10:07 AM
Subject: HHS/CMS Announces Shift in Enforcement of HIPAA Security Rule
To: ALLTC at maillist.ansi.org

Good morning all,

HHS/CMS just announced via a Federal Register notice an important
shift in the internl responsibility/delegation of authority for the
monitoring and enforcement of the HIPAA Security Rule (and all
additional health IT-related security responsibilities, under ARRA).

Previously, the responsibility for administering (interpretation,
education, guidance, FAQs, etc), monitoring and enforcing the HIPAA
Security Rule was a CMS responsibility (specifically, the CMS Office
of E-Standards and Services or CMS/OESS).  The administration,
monitoring and enforcement of the HIPAA Privacy Rule fell under the
Office for Civil Rights (OCR).

Effective July 27, 2009, CMS will no longer be handling the HIPAA
Security Rule.  HHS has made the decision to transfer the
responsibility to OCR, which will now have the administrative and
enforcement authority for BOTH the HIPAA Privacy and HIPAA Security
Rules, in addition to all the new ARRA provision on privacy and
security (covering security of EHRs).

The Notice, posted on public display this morning in the Federal
Register, and to be officially published tomorrow in the printed
version of the FR, can be found at:

Over the past few years since the enactment of both HIPAA Rules, OCR
and CMS have worked together on the administration and enforcement of
the two rules.  According to their accounting of complaints and cases
brought forward, the majority included both a Privacy and a Security
component.  In addition, with the Recovery Act calling for incresed
security and enforcement of personal health information on EHRs, it
seems HHS thought it would be the right time to make this transition
and have a single office within the agency handle both inter-related

It is expected that people will be able to continue filing complaints
through the same online system, and that during a transition period,
CMS will continue to work and now assist OCR in administering the
Security enforcement responsibilities, as well as the administration
of the Rule.

A press release announcement is also expected to come out soon.


Walter G. Suarez, MD, MPH
Director of Health IT Strategy
Kaiser Permanente
2221 Broadbirch Dr.
Silver Spring, MD 20904-1984
phone: 301.625.4351  |  mobile: 301.801.3207  |   fax: 301.625.4533  |
 e-mail: walter.g.suarez at kp.org

NOTICE TO RECIPIENT:  If you are not the intended recipient of this
e-mail, you are prohibited from sharing, copying, or otherwise using
or disclosing its contents.   If you have received this e-mail in
error, please notify the sender immediately by reply e-mail and
permanently delete this e-mail and any attachments without reading,
forwarding or saving them.  Thank you.
------- End of Forwarded Message -------

More information about the Wg-p3 mailing list