In 2009, HITECH gave State Attorneys General the authority to bring civil actions on behalf of their state residents for violations of HIPAA. The HITECH Act permits State Attorneys General to sue in federal district court to obtain monetary damages on behalf of state residents and/or to enjoin further violations of HIPAA.
Although trained by OCR in June 2011, State AGs have been slow to jump into the HIPAA pool. Indeed, by the end of calendar year 2011, only two state attorneys general — Connecticut and Vermont – had acted on their HITECH-expanded HIPAA enforcement powers.
However, more are wading in this year:
- On May 26, 2012, the Massachusetts Attorney General announced that it had settled a lawsuit filed against South Shore Hospital for $750,000.00. The lawsuit, which alleged violations of HIPAA and the Massachusetts Consumer Protection Act, arose out of South Shore’s decision to send unencrypted back-up tapes offsite to a data archiving vendor to be erased and re-sold as blank media. However, South Shore failed to notify the vendor that the tapes contained PHI and did not ensure that the vendor had the appropriate safeguards to protect the PHI.
- On July 30, 2012, the Minnesota Attorney General announced a $2.5 million settlement with business associate Accretive Health, Inc., a debt collection agency serving two Minnesota hospitals. The settlement arose out of a lawsuit filed in January 2012 alleging violations of HIPAA and other Minnesota state laws after Accretive lost a laptop containing the unencrypted PHI of over 23,000 Minnesota patients.
With scarcely a week that goes by without a data breach, privacy, especially as it relates to the protection of health information, is now squarely on the radar of most state regulators. Therefore, whether under HIPAA alone or in conjunction with state privacy and consumer protection laws, it is expected that state attorneys general will sit on the front lines of the HIPAA enforcement effort in the years to come.
Thus, covered entities and business associates alike should understand the heightened regulatory environment in which they conduct business, should appreciate the significant impact that fifty new regulators will have upon HIPAA enforcement efforts, and should take meaningful steps towards HIPAA compliance.