David Holtzman, a health information privacy specialist at the Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), stated at a health privacy conference on May 11, 2010, that OCR has been “vigorously” enforcing the Security Rule, which was promulgated pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”). Prior to 2009, HHS divided civil enforcement responsibility for HIPAA between OCR, which enforced the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services (“CMS”), which enforced the HIPAA Security Rule. In July 2009, the Secretary of HHS delegated authority to enforce the HIPAA Security Rule to OCR to “facilitate improvements by eliminating duplication and increasing efficiency.”

Holtzman stated that OCR is conducting compliance reviews for all HIPAA data breaches involving data for more than 500 individuals, and is working with covered entities to identify compliance issues that led to those breaches. Marilou King, a senior attorney at the HHS Office of General Counsel, also mentioned that HHS is working to with a contractor to develop a process to audit coved entities for compliance with the HIPAA Privacy and Security Rules, and could utilize informal resolution agreements to address violations of the HIPAA Privacy and Security Rules. Ms. King also mentioned that HHS intends to finalize soon the interim enforcement rule it released last year and issue a proposed rule regarding covered entities and business associates, as mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.

The recent comments by HHS officials followed OCR’s issuance of draft guidance on May 7, 2010, regarding the risk analysis requirement in the HIPAA Security Rule. The guidance defines several key terms that are not expressly defined in the Security Rule, including “vulnerability,” “threat” and “risk,” although the guidance noted that the terms “do not modify or update the Security Rule and should not be interpreted inconsistently with the terms used in the Security Rule.” More critically, the guidance “explains several elements a risk analysis must incorporate, regardless of the method employed.” Those elements include: (1) defining the scope of the analysis, (2) identifying where electronic protected health information is stored, received, maintained or transmitted, (3) identifying and documenting potential threats and vulnerabilities, (4) assessing current security measures, (5) determining the likelihood of threat occurrence, (6) determining the potential impact of threat occurrence, (7) determining the level of risk, (8) finalizing the risk analysis documentation and (9) periodically reviewing and updating the risk analysis.