State AGs to Get HIPAA Lawsuit Training

HITECH Enables Attorneys General to File Federal Civil Suits
State AGs to Get HIPAA Lawsuit Training
In a step that could pave the way for ramped up HIPAA enforcement at the state level, training for state attorneys general on how to file a HIPAA federal civil lawsuit will be offered this spring, a federal official announced Wednesday.

The HITECH Act, which called for increased penalties for HIPAA violations, also enabled state attorneys general to file the federal lawsuits. But so far, the only well-publicized action has been a lawsuit filed by former Connecticut Attorney General Richard Blumenthal, who is now a U.S. senator, against insurer Health Net. That lawsuit was settled in July 2010, when the insurer agreed to pay $250,000 in damages and offer stronger consumer protections.

Training for attorneys general and their staffs will be offered in four regional meetings from April through June, said Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Services' Office for Civil Rights. The first event will be April 4-5 in Dallas. OCR will pay all expenses for two members of each state's attorney general's office to attend the training, McAndrew says.

The training will help ensure "that state attorneys general will be better prepared to carry out their new authority under the HITECH Act in enforcing HIPAA," McAndrew said.

Training will be offered in Atlanta and Washington in May and San Francisco in June. "Once those meetings are completed, we'll have computer-based training available as well," McAndrew explained.

She also pointed out that even if a state succeeds in a federal civil lawsuit for a HIPAA violation, OCR, which enforces HIPAA at the federal level, also could take action.

HIPAA Audit Update

McAndrew's comments came Wednesday at the National HIPAA Summit in Washington. She also announced that planning for the long-delayed HIPAA compliance audit program, mandated under the HITECH Act, is continuing, with a pilot of one or more audit models likely to take place later this year. McAndrew, however, declined to say whether the actual audit program could be launched by year's end.

Also speaking at the HIPAA Summit was Valerie Morgan-Alston, who recently was named OCR's first-ever deputy director for enforcement and regional operations. The creation of the position by OCR Director Georgina Verdugo is part of a reorganization that places a new emphasis on enforcement, Morgan-Alston stressed. "We are serious about HIPAA enforcement."

Evidence of OCR's HIPAA enforcement ramp-up has been in the headlines in recent weeks. The office annnounced a $4.3 million civil monetary penalty against Cignet Health, which operates four clinics in Maryland, in a case involving failure to provide patients with access to their records. It was the first time OCR had levied a civil monetary penalty for a HIPAA privacy rule violation.

And Massachusetts General Hospital entered a resolution agreement, paying a $1 million settlement and agreeing to corrective action in a case stemming from paper records lost on a subway.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.