CMS shifts HIPAA security rule responsibility to Office of Civil Rights
The OCR now will administer and make decisions regarding the interpretation, implementation and enforcement of the HIPAA regulations security rule. Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS), said in an interview that the office also will bear responsibility to issue changes to guidances and policy.
Gallagher explained that until this point, the two departments had been sharing responsibilities. As a result, every complaint required the Department of Health and Human Services (HHS) and OCR to collaborate, which slowed the process down considerably.
"Now, all complaints will be handled within one organization, which should increase efficiency" she noted.
According to CMS, the OCR will have the following HIPAA authorities, except for:
- Imposing civil money penalties under the Social Security Act for a covered entity's failure to comply with certain requirements and standards;
- Issuing subpoenas to require the attendance and testimony of witnesses and the production of any evidence that relates to any matter under investigation or compliance review for failure to comply with certain requirements and standards; and
- Making exception determinations, under the Social Security Act, concerning when provisions of state laws that are contrary to the federal standards are not preempted by the federal provisions.
According to HHS Secretary Kathleen Sebelius, "This delegation to the [CMS] Administrator also excludes the authority to issue regulations and to hold hearings and issue final determinations if the respondent has requested a hearing on the imposition of civil monetary penalties. This delegation shall be exercised under the Department's existing delegation of authority and policy relating to regulations."