Skip Navigation

Secretary delegates HIPAA Security Rule to OCR

On July 27, 2009, Secretary of the Department of Health and Human Services (HHS) Kathleen Sebelius delegated authority for the administration and enforcement of the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) to the Office for Civil Rights (OCR).  This action by Secretary Sebelius will improve HHS’ ability to protect individuals’ health information by combining the authority for administration and enforcement of the Federal standards for health information privacy and security called for in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Privacy Rule is also administered and enforced by OCR.

Congress mandated improved enforcement of the Privacy Rule and Security Rule in the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA).  Privacy and security are naturally intertwined, because they both address protected health information.  Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing the efficiency of investigations and resolutions of failures to comply with both rules. Moreover, combining the administration of the Security Rule and the Privacy Rule is consistent with the health care industry’s increasing adoption of electronic health records and the electronic transmission of health information.

The transition of authority for the administration and enforcement of the Security Rule is expected to be seamless with no interruption in the management or processing of any complaints filed prior to the transition. Consumers may continue to submit HIPAA security complaints using the on-line resource – the Administrative Simplification Enforcement Tool (ASET).  New security complaints may also be sent to the Office for Civil Rights.  For more information and detailed instructions on how to submit a complaint to OCR, visit the OCR web site.  The transition of security complaints from CMS to OCR has no impact on how complaints about Transactions and Codes Sets or Unique Identifiers are filed or processed.  CMS retains its enforcement authority for these other HIPAA rules. 

View the Federal Register notice of the Delegation of Authority (74 FR 38630).

View the Security Rule Educational Paper Series and NIST Special Publications.

More information on the Security Rule.