In case you missed it, the Department of Health and Human Services (HHS) has delegated the authority for the administration and enforcement of HIPAA Security Rule to the Office for Civil Rights (OCR).
In the article Secretary Sebelius commented:
“Security and privacy of health information are increasingly intersecting as the department works with the health industry to adopt electronic health records and participate in an even greater level of electronic exchange of health information. Privacy and security are naturally intertwined, because they both address protected health information. Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing efficiency.”
Why should this announcement be taken seriously in the Healthcare industry?
Enforcement changes are coming.
There is no doubt that pressure on HHS to enforce security and privacy in Healthcare is mounting. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has been around now for 13 years and new mandates such as the Health Information Technology for Economic and Clinical Health (HITECH) Act and part of the American Recovery and Reinvestment Act of 2009 (ARRA) both require improved enforcement of both rules.
Congratulations to Secretary Sebelius for recognizing the advantages of eliminating duplication and increasing efficiencies within HHS. But now comes the hard part – getting healthcare institutions to effectively and fully implement HIPAA, HITECH, PCI, FACTA and many other state and federal mandates.
Healthcare managers should be thankful for the 13 years of lax enforcement with HIPAA, and now that the HIPAA alert has been delivered, healthcare managers should be taking aggressive actions to avoid being the next enforcement poster child.