Skip Navigation

Security Rule Enforcement

The Security Rule is a set of federal security standards to protect the confidentiality, integrity, and availability of electronic protected health information. The Secretary of HHS delegated authority for administration and enforcement of the Security Rule to OCR on July 27, 2009. Before that date, the Centers for Medicare and Medicaid Services (CMS) was responsible for enforcing the Security Rule, including investigating complaints and conducting compliance reviews.

Compliance Reviews

In 2008 and 2009, CMS conducted reviews of ten selected covered entities to assess their compliance with the standards set out in the Security Rule. 

CMS' 2008 HIPAA Compliance Review Analysis and Summary of Results.

CMS' 2009 HIPAA Compliance Review Analysis and Summary of Results.