Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

The role of the state attorney general in the enforcement of HIPAA

The role of the state attorney general in the enforcement of HIPAA

The authority of state attorneys general (SAG) to enforce the Health Insurance Portability and Accountability Act (HIPAA) was expanded by the Health Information Technology for Clinical and Economic Health (HITECH) Act. The authority allows SAG to take action on behalf of state residents regarding violations of the HIPAA Privacy and Security Rules.

 

The authority of the state attorney general 

While the responsibility for enforcing HIPAA traditionally rests with the U.S. Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). The inclusion of SAG allows for the expanded enforcement capacity to address HIPAA violations that may otherwise escape federal scrutiny due to resource limitations. 

Examples of the SAG authority in enforcing HIPAA include: 

  • They can seek financial damages for individuals affected by a violation. 
  • They can request courts to issue injunctions to stop ongoing violations. 
  • They can collaborate with the OCR to coordinate enforcement efforts.
  • They are authorized to address violations of the HIPAA Privacy, Security, and Breach Notification Rules. 
  • They can investigate and prosecute cases involving unauthorized disclosures of protected health information (PHI). 
  • They can notify the HHS before filing an action. 

How did HITECH expand the role of state attorneys general in HIPAA compliance?

The HITECH Act’s provisions allow SAG to seek damages on behalf of residents affected by HIPAA violations and seek injunctive relief to stop further harm. The dual focus provides financial restitution for victims and helps deter noncompliance by covered entities and business associates. The reason behind the HITECH Act’s expansion of the SAG authority in enforcement is the acknowledgment of the limitations of federal resources and the need to leverage the localized presence of state legal systems. 

 

The notable settlements involving state attorneys general and HIPAA enforcement

Minnesota Attorney General’s Lawsuit against Accretive Health

During an investigation into Accretive Health, Minnesota Attorney General Lori Swanson uncovered that the company had misused confidential patient information to tailor aggressive debt collection tactics without patient consent. The company was accused of creating a high-pressure environment that led to patients forgoing treatment due to demands for payment at their bedside. The lawsuit brought against Accretive Health Alleged violations of federal privacy rules like HIPAA as well as state debt collection and consumer protection laws.   

 

Delaware Attorney General Addresses Data Breach 

The Delaware Attorney General Kathy Jennings and 32 other attorneys general with the clearinghouse Inmediata. The settlement was reached due to a coding issue that resulted in the exposure of PHI for approximately 1.5 million consumers over nearly three years. As part of the settlement, Inmediata agreed to implement measures to improve its data security practices. According to Attorney General Jennings,This settlement once again underscores our commitment to protecting Delaware citizens and holding companies accountable for breaches of customer data and vulnerabilities in their services,”

Related: Inmediata reaches $1.4 million settlement following HIPAA investigation

 

FAQs

Can a state attorney general seek damages on behalf of residents affected by HIPAA violations? 

Yes, state attorneys general can seek damages on behalf of residents affected by HIPAA violations. 

 

How do multistate actions improve the effectiveness of HIPAA enforcement by state attorneys general? 

It allows several states to collaborate on investigations and enforcement actions against large entities. 

 

Could state attorney's offices benefit from the use of HIPAA compliant email platforms like Paubox?

While the use of HIPAA compliant email platforms is mostly attributed to healthcare organizations and their business associates, the use of the platform offers a secure and reliable method of communication for all organizations regardless of the need for compliance.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.