The authority of state attorneys general (SAG) to enforce the Health Insurance Portability and Accountability Act (HIPAA) was expanded by the Health Information Technology for Clinical and Economic Health (HITECH) Act. The authority allows SAG to take action on behalf of state residents regarding violations of the HIPAA Privacy and Security Rules.
While the responsibility for enforcing HIPAA traditionally rests with the U.S. Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). The inclusion of SAG allows for the expanded enforcement capacity to address HIPAA violations that may otherwise escape federal scrutiny due to resource limitations.
Examples of the SAG authority in enforcing HIPAA include:
The HITECH Act’s provisions allow SAG to seek damages on behalf of residents affected by HIPAA violations and seek injunctive relief to stop further harm. The dual focus provides financial restitution for victims and helps deter noncompliance by covered entities and business associates. The reason behind the HITECH Act’s expansion of the SAG authority in enforcement is the acknowledgment of the limitations of federal resources and the need to leverage the localized presence of state legal systems.
During an investigation into Accretive Health, Minnesota Attorney General Lori Swanson uncovered that the company had misused confidential patient information to tailor aggressive debt collection tactics without patient consent. The company was accused of creating a high-pressure environment that led to patients forgoing treatment due to demands for payment at their bedside. The lawsuit brought against Accretive Health Alleged violations of federal privacy rules like HIPAA as well as state debt collection and consumer protection laws.
The Delaware Attorney General Kathy Jennings and 32 other attorneys general with the clearinghouse Inmediata. The settlement was reached due to a coding issue that resulted in the exposure of PHI for approximately 1.5 million consumers over nearly three years. As part of the settlement, Inmediata agreed to implement measures to improve its data security practices. According to Attorney General Jennings, “This settlement once again underscores our commitment to protecting Delaware citizens and holding companies accountable for breaches of customer data and vulnerabilities in their services,”
Related: Inmediata reaches $1.4 million settlement following HIPAA investigation
Yes, state attorneys general can seek damages on behalf of residents affected by HIPAA violations.
It allows several states to collaborate on investigations and enforcement actions against large entities.
While the use of HIPAA compliant email platforms is mostly attributed to healthcare organizations and their business associates, the use of the platform offers a secure and reliable method of communication for all organizations regardless of the need for compliance.