The Department of Health and Human Services recently transferred authority for the enforcement of the Health Insurance Portability and Accountability Act of 1996 security rules to the Office of Civil Rights, another sign of the federal government's increased efforts to protect the confidentiality of health information.

The department said it made the move to improve its ability to protect individuals' health information by combining in one office both the administration and the enforcement of the health information privacy and security rules called for in HIPAA.

Congress mandated improved enforcement of HIPAA's privacy rules in the Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act of 2009. The new law:

• Increases the criminal and civil penalties for HIPAA privacy violators

• Prohibits the sale of personal health information without prior consent

• Clarifies the sanctions on employees and individuals who wrongfully use or access the personal health information of others.

The department also has released for public comment a set of new regulations requiring health care providers, health plans and other entities covered by HIPAA to notify individuals when their health information is breached.

Employers maintaining health plans should review their data security and privacy practices and update any policies and procedures. They also should make sure that they train every employee who handles or has access to the medical information of other employees. Employers should make compliance with HIPAA part of their overall privacy and confidentiality policies.

-- Joseph Vater,
Meyer, Unkovic & Scott,
jav@muslaw.com.

"Money Q&A" and "Company Town" are featured exclusively at PG+, a members-only web site of the Pittsburgh Post-Gazette. Our introduction to PG+ gives you all the details.