Only two state attorneys general -- former Connecticut Attorney General Richard Blumenthal (D) and Vermont Attorney General William Sorrell (D) -- have acted on expanded authority Congress gave them to enforce HIPAA privacy and security rules, iWatch News reports.
Background
The federal government expanded the ability of state attorneys general to enforce HIPAA through the HITECH Act in the 2009 federal economic stimulus package.
Authority to initiate privacy and security breach investigations previously belonged only to HHS' Office for Civil Rights.
Lawmakers believed that increasing the number of HIPAA enforcers could improve health care provider compliance with privacy and security rules and reassure the public that their electronic health data are protected.
The expansion of powers allows attorneys general to bring civil privacy cases to federal district court and seek injunctions, statutory damages and attorney fees.
Reasons for Lack of Action
Experts say several factors affect the lack of attorneys general using the authority, including:
- High rates of HIPAA compliance among health care providers;
- Limited resources stemming from weakened state budgets; and
- The newness of the expanded HIPAA enforcement powers.
Deven McGraw -- director of the Health Privacy Project at the Center for Democracy and Technology -- said states might be unwilling to pursue HIPAA violation cases because of the limited amount of monetary damages that could be recovered.
Some experts also have said that attorneys general might choose to prosecute health data breach cases under state privacy and security laws, instead of under federal HIPAA law (Leonard, iWatch News, 9/20).