To date, State Attorneys General (State AGs) in at least four states (Connecticut, Indiana, Minnesota, Vermont) have exercised their authority to enforce the HIPAA privacy and security rules as granted by the Health Information Technology for Clinical and Economic Health (HITECH) Act (pdf), part of the American Recovery and Reinvestment Act of 2009 (ARRA). Following a nationwide live training campaign, the Office of Civil Rights (OCR) is continuing its efforts to train State AGs by making training materials available online.
The training materials now available through the OCR website include videos and slides from in-person training sessions for State AGs that OCR conducted in 2011, as well as computer-based training modules that can be downloaded. Topics include:
- General introduction to the HIPAA Privacy and Security Rules
- Investigative techniques for identifying and prosecuting potential violations
- A review of HIPAA and State Law
- OCR's role in enforcing the HIPAA Privacy and Security Rules
- State AG roles and responsibilities under HIPAA and the HITECH Act
- Resources for State AGs in pursuing alleged HIPAA violations
- HIPAA Enforcement Support and Results
State AG interest in pursing these cases may be growing. For example, the Connecticut Attorney General's website instructs residents on how to file complaints concerning HIPAA. This action by OCR also may indicate it is closer to issuing the long awaited final regulations under HITECH. Health care providers, health plan sponsors and administrators and business associates should be taking steps to ensure they are ready to survive a HIPAA audit, as well as an enforcement action by a State AG.