State attorneys general will be getting a few lessons in HIPAA. The Office for Civil Rights, the enforcer of the HIPAA privacy and security rules, announced this week training sessions for state AGs to help them in their new authority to enforce the HIPAA privacy and security rules.
The HITECH Act gave state attorneys general authority to bring civil actions on behalf of state residents for HIPAA violations. It also permits the attorneys to obtain damages on behalf of state residents.
Last July, Connecticut attorney Richard Blumenthal's office announced a $250,000 settlement with insurer Health Net and its affiliates regarding a breach of personal health information affecting nearly a half million Connecticut enrollees.
The settlement was a landmark one because Blumenthal's office was the first to cash in on the HITECH-granted authority.
As for the training OCR's sessions will include the following topics:
- General introduction to the HIPAA privacy and security rules
- Analysis of the impact of HITECH on the HIPAA privacy and security rules
- Investigative techniques for identifying and prosecuting potential violations
- A review of HIPAA and state law
- OCR's role in enforcing the HIPAA privacy and security rules
- State AGs' roles and responsibilities under HIPAA and HITECH
- Resources for state AG in pursuing alleged HIPAA violations
- HIPAA enforcement support and results
The training takes places at the following sites and dates:
- Dallas: April 4 and 5
- Atlanta: May 9 and 10
- Washington, DC (metro area): May 19 and 20
- San Francisco: June 13 and 14
Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, puts adding state attorneys general to the HIPAA enforcement mix this way: "There are 50 new sheriffs in town."
"Most state AGs are elected, and almost all of them do everything they can to get re-elected," says Drummond. "That means they'll be much more susceptible to public or political pressure to pursue HIPAA violations, particularly if there's a 'good story' behind the breach. They want to be seen as protecting the little guy, and they're much more incentivized" than OCR.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.