OCR Takes Over Security: Apparently, HHS will issue a Federal Register notice today that authority for administering, monitoring, and enforcing the HIPAA Security Rule will shift from the Centers for Medicare and Medicaid Services (CMS) to the HHS Office of Civil Rights (OCR). OCR has always had responsibility over the Privacy Rule, but the Security Rule, which came out two years later, was delegated to CMS. I had always interpreted this as an indication that the Security Rule would be more aggressively and seriously enforced, since OCR does not have the reputation as a "watchdog" agency; that reputation has played out in the fact that there have been few Privacy Rule penalties levied by OCR, and OCR has been fairly easy to deal with when providers have gotten into trouble. However, it's not like CMS has been a regulatory bulldog with respect to the Security Rule. Since Privacy and Security do intermix, it does make sense that the same agency would have oversight; however, if you had told me yesterday that they would've been merged, I would've expected the shift to be from OCR to CMS.
Hat tip: Vicki Hohner, Fox Systems
Here's the Federal Register posting.