OCR Boosting Security Enforcement
The health care industry can soon expect a greater emphasis on enforcing the HIPAA security rule than in years past.
That’s the message that Susan McAndrew, deputy director for privacy at the Department of Health and Human Services’ Office for Civil Rights, delivered May 11 at the Safeguarding Health Information conference in Washington. OCR sponsored the conference with the National Institute of Standards and Technology.
Federal enforcement of the security rule transitioned in 2009 from the Centers for Medicare and Medicaid Services to the OCR. The office continues to build expertise on the security rule, but much of the transition work is done, McAndrew says. “Transitions are always longer than you expect.”
To boost enforcement of the security rule, OCR has added investigators in 10 regional offices, McAndrew notes. “We’re hoping that with additional feet on the ground, we’ll be able to do many more security cases as the year moves forward.”
The HITECH Act links privacy and security--and enforcement of both HIPAA rules--enabling regulators to look at these issues from a more holistic viewpoint, McAndrew says. As the electronic world moves into the clinical side, the health care industry increasingly will find that privacy and security issues collide, she contends. “Without a sound security policy, privacy will just be a principle.”
Consequently, 2010 is when the industry will really start to see a realization of HITECH’s privacy and security initiatives enacted in 2009, McAndrew says. “We’re hoping to move security to the forefront and make it a real partner with privacy in our enforcement.”