As Jonathan P. Tomes mentioned in his blog post of January 30, 2012, on January 19, 2012, Minnesota Attorney General Lori Swanson filed the first lawsuit against a business associate under HIPAA as provided for in the HITECH Act. Attorneys general for the states of Connecticut, Indiana, and Vermont have filed lawsuits against covered entities. Such lawsuits by state attorneys general may increase for at least three reasons.
First, the HITECH Act provides that, if the state attorney general wins the lawsuit, the losing covered entity and/or business associate would have to pay damages and the costs of the litigation expenses of the attorney general’s office.
Second, last year, the Department of Health and Human Services (“DHHS”) offered HIPAA enforcement training for all state attorneys general. Held in Dallas, Atlanta, Washington, DC, and San Francisco, the two-day training sessions covered the basics of HIPAA’s Privacy Rule and Security Rule, federal enforcement of HIPAA, how to investigate and prosecute potential HIPAA violations, and the availability of federal HIPAA enforcement support and resources.
Third, in the past several months as noted in this blog, DHHS has faced criticism of its HIPAA enforcement efforts by the Office of the Inspector General (“OIG”) and the Senate Judiciary Subcommittee on Privacy, Technology, and Law.
The HITECH Act has brought about some profound changes, as noted in previous postings on this blog. As time passes and state and federal governments continue to struggle to manage their budgets with a shrinking tax revenue base because of declining economic conditions, state attorneys general and DHHS may become much more aggressive with litigation seeking monetary damages from covered entities and business associates.
So take heed from this author, a former United States Marine Corps drill instructor: Forewarned is forearmed. Make sure that your HIPAA compliance efforts could pass inspection, literally! If you need help, by all means, contact us.