Who's the Boss? States Join the HIPAA Enforcement Fray

While significant focus is often given to what the Office for Civil Rights is up to when it comes to HIPAA enforcement, 2018 has already provided ample reminders that they are not alone when it comes to investigating and enforcing HIPAA violations.

In addition to applying HIPAA requirements to business associates, the 2009 HITECH Act also gave state attorneys general the power to enforce HIPAA on OCR’s behalf. Since HITECH’s passage, few states have chosen to exercise this authority, instead relying on their own state’s privacy and data breach laws.

That appears to be changing.

The New York Attorney General has already announced two large settlements, one in January and one in March. New Jersey, another state that has taken enforcement action under HIPAA in the past, did so again in April, announcing a settlement with a physician network in the state for violations of the HIPAA Privacy and Security Rules.

Whether these enforcement actions represent a blip on the radar or a growing trend, there are some important takeaways:

State enforcement of HIPAA isn’t limited to small-time violators. State attorneys general are going after big fish, enforcing the same kinds of large monetary settlements and strict corrective action plans that OCR pursues.

As data breaches (especially in health care) continue to be a problem, it is reasonable to assume that attorneys general are going get tough on companies in their states that don’t protect data, using the tools granted to them not only by state, but also by federal law. When announcing the March settlement, New York Attorney General Eric Schneiderman specifically called out New York’s “weak and outdated security laws.”

Only a handful of states have their own requirements for security safeguards. The Security Rule gives attorneys general in states that haven’t adopted such standards an opportunity not only to investigate breaches of health care information, but also to investigate the physical, technical, and administrative controls that are in place to prevent those breaches.

More than ever, having strong HIPAA compliance program is a cost of doing business if you are interacting with health care information. We’re here to share our expertise.

Tripp Stroud