Authority for the HIPAA Security Rule Delegated to Office for Civil Rights
HHS Secretary Kathleen Sebelius announced today that authority for the
administration and enforcement of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) Security Rule has been delegated to
the Office for Civil Rights (OCR). OCR's administration and enforcement
of the Security Rule, which had previously been delegated to the Centers
for Medicare & Medicaid Services (CMS), will eliminate duplication and
increase efficiencies in how the department ensures that Americans'
health information privacy is protected.
HHS has the authority for administration and enforcement of the federal
standards for health information privacy called for in HIPAA. The
Privacy Rule provides federal protections for personal health
information held by covered entities and gives patients an array of
rights with respect to that information. OCR has been responsible for
enforcement of the Privacy Rule since 2003. The Security Rule specifies
a series of administrative, technical, and physical security procedures
for covered entities to use to assure the confidentiality of electronic
protected health information. The Health Information Technology for
Economic and Clinical Health (HITECH) Act, part of the American Recovery
and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of
the Privacy Rule and the Security Rule.
"Security and privacy of health information are increasingly
intersecting as the department works with the health industry to adopt
electronic health records and participate in an even greater level of
electronic exchange of health information," said Secretary Sebelius.
"Privacy and security are naturally intertwined, because they both
address protected health information. Combining the enforcement
authority in one agency within HHS will facilitate improvements by
eliminating duplication and increasing efficiency."
Through a separate delegation, CMS continues to have authority for
administration and enforcement of the HIPAA Administrative
Simplification regulations, other than privacy and security of health
For more information, please visit OCR Web site: