The Office for Civil Rights (OCR) within the Department of Health and Human Services has the regulatory authority for the HIPAA Privacy and Security rules. OCR also issues guidance and interpretations on HIPAA Privacy and Security rules, including how these rules apply to electronic health records, personal health records, and health information technology. OCR has enforcement authority to ensure compliance with the HIPAA Privacy and Security Rules through investigation and the ability to impose civil monetary penalties. The HITECH Act of 2009 enhanced many of the Privacy Rule provisions, including extending certain requirement to business associates; limiting uses and disclosure of protected health information for marketing; prohibiting the sale of protected health information (PHI) without patient authorization; expanding individuals’ rights to access their information and restrict certain PHI disclosures to health plans; and providing greater enforcement authority to OCR. The Office of the National Coordinator (ONC) for Health Information Technology is charged with the development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of health information. This includes examining and recommending policy, technology, and practices that protect privacy and promote security. In addition, ONC develops regulations for the certification of electronic medical records, engages public input, and implements grant programs, such as those to initiate state health information exchanges, the Regional Extension Centers that provide technical assistance to provided to reach meaningful use of EHRs, and Beacon Communities grants that will establish and demonstrate best practices for middle and later adopters of HIT.
What are respective roles of ONC and OCR regarding privacy and security?
Content last reviewed on January 15, 2019