The HITECH Act, which called for increased penalties for HIPAA violations, also enabled state attorneys general to file the federal lawsuits. But so far, the only well-publicized action has been a lawsuit filed by former Connecticut Attorney General Richard Blumenthal, who is now a U.S. senator, against insurer Health Net. That lawsuit was settled in July 2010, when the insurer agreed to pay $250,000 in damages and offer stronger consumer protections.
Training for attorneys general and their staffs will be offered in four regional meetings from April through June, said Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Services' Office for Civil Rights. The first event will be April 4-5 in Dallas. OCR will pay all expenses for two members of each state's attorney general's office to attend the training, McAndrew says.
The training will help ensure "that state attorneys general will be better prepared to carry out their new authority under the HITECH Act in enforcing HIPAA," McAndrew said.
Training will be offered in Atlanta and Washington in May and San Francisco in June. "Once those meetings are completed, we'll have computer-based training available as well," McAndrew explained.
She also pointed out that even if a state succeeds in a federal civil lawsuit for a HIPAA violation, OCR, which enforces HIPAA at the federal level, also could take action.
HIPAA Audit UpdateMcAndrew's comments came Wednesday at the National HIPAA Summit in Washington. She also announced that planning for the long-delayed HIPAA compliance audit program, mandated under the HITECH Act, is continuing, with a pilot of one or more audit models likely to take place later this year. McAndrew, however, declined to say whether the actual audit program could be launched by year's end.
Also speaking at the HIPAA Summit was Valerie Morgan-Alston, who recently was named OCR's first-ever deputy director for enforcement and regional operations. The creation of the position by OCR Director Georgina Verdugo is part of a reorganization that places a new emphasis on enforcement, Morgan-Alston stressed. "We are serious about HIPAA enforcement."
Evidence of OCR's HIPAA enforcement ramp-up has been in the headlines in recent weeks. The office annnounced a $4.3 million civil monetary penalty against Cignet Health, which operates four clinics in Maryland, in a case involving failure to provide patients with access to their records. It was the first time OCR had levied a civil monetary penalty for a HIPAA privacy rule violation.
And Massachusetts General Hospital entered a resolution agreement, paying a $1 million settlement and agreeing to corrective action in a case stemming from paper records lost on a subway.