HIPAA Enforcement Training for State Attorneys General

Enforcement By State Attorneys General
One of the more notable enforcement provisions of the HITECH Act is Section 13410. Improved Enforcement, provides for the State Attorneys General to file a HIPAA federal civil lawsuit. Ramping up for potential state action against HIPAA violations, Health and Human Services, through the Office of Civil Rights (OCR) have now taken the next step to help State Attorneys General begin to implement their enforcement authority under the HITECH Act, OCR will hold a 2-day, instructor-led HIPAA Enforcement Training course in 4 locations across the country. At each of these HIPAA Enforcement Training sessions, attendees will receive instruction on the following topics:

  • General introduction to the HIPAA Privacy and Security Rules
  • Analysis of the impact of the HITECH Act on the HIPAA Privacy and Security Rules
  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • OCR’s role in enforcing the HIPAA Privacy and Security Rules
  • SAG roles and responsibilities under HIPAA and the HITECH Act
  • Resources for SAG in pursuing alleged HIPAA violations
  • HIPAA Enforcement Support and Results

More information on the training can be found here

About HITECH Act Section 13410. Improved Enforcement.
In particular, the Act amends Section 1176 of the Social Security Act (42 U.S.C. 1320d-5) by adding at the end of the new subsection:
“(d) Enforcement By State Attorneys General.
CIVIL ACTION. Except as provided in subsection (b),
in any case in which the attorney general of a State has
reason to believe that an interest of one or more of the residents
of that State has been or is threatened or adversely affected
by any person who violates a provision of this part, the attorney
general of the State, as parens patriae, may bring a civil
action on behalf of such residents of the State in a district
court of the United States of appropriate jurisdiction—
‘‘(A) to enjoin further such violation by the defendant;
‘‘(B) to obtain damages on behalf of such residents
of the State, in an amount equal to the amount determined
under paragraph (2).
‘‘(A) IN GENERAL.—For purposes of paragraph (1)(B),
the amount determined under this paragraph is the amount
calculated by multiplying the number of violations by up
to $100. For purposes of the preceding sentence, in the
case of a continuing violation, the number of violations
shall be determined consistent with the HIPAA privacy
regulations (as defined in section 1180(b)(3)) for violations
of subsection (a).
‘‘(B) LIMITATION.—The total amount of damages
imposed on the person for all violations of an identical
requirement or prohibition during a calendar year may
not exceed $25,000.
‘‘(C) REDUCTION OF DAMAGES.—In assessing damages
under subparagraph (A), the court may consider the factors
the Secretary may consider in determining the amount
of a civil money penalty under subsection (a) under the
HIPAA privacy regulations. Read complete provision here at page 49