The Department of Health and Human Services has delegated the authority for the administration and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to the Office for Civil Rights.

The OCR's administration and enforcement of the security rule, which had previously been delegated to the Centers for Medicare and Medicaid Services, will eliminate duplication and improve the department's efforts to ensure that health information privacy is protected.

"I can certainly see how such a change will create operational efficiencies for HHS as it conducts rulemaking, provides guidance and increases enforcement activities relating to both HIPAA and ARRA," said Lisa Gallagher, HIMSS' senior director of privacy and security. "HIMSS will continue to support industry compliance efforts by providing information, educational programming as well as tools and resources through its privacy and security toolkit."

HHS has the authority for administration and enforcement of the federal standards for health information privacy called for in HIPAA. HHS Secretary Kathleen Sebelius announced the move Monday.

The privacy rule provides federal protection for personal health information held by covered entities and gives patients rights with respect to that information. The OCR has been responsible for enforcement of the privacy pule since 2003. The security rule specifies administrative, technical and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of both rules.

"Security and privacy of health information are increasingly intersecting as the department works with the health industry to adopt electronic health records and participate in an even greater level of electronic exchange of health information," said Sebelius. "Privacy and security are naturally intertwined, because they both address protected health information. Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing efficiency."

Through a separate delegation, CMS continues to administer and enforce the HIPAA Administrative Simplification regulations, other than privacy and security of health information.