State Attorneys General — Corrective action / RA

Full description

Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process Enforcement Data Resolution Agreements Case Examples Audit Reports to Congress State Attorneys General Special Topics Parental Access Mental and Behavioral Health Change Healthcare Cybersecurity Incident FAQs HIPAA and COVID-19 HIPAA and Reproductive Health HIPAA and Final Rule Notice HIPAA and Telehealth HIPAA and FERPA Research Public Health Emergency Response Health Information Technology Health Apps Patient Safety Covered Entities & Business Associates Business Associate Contracts Business Associates Training & Resources FAQs for Professionals Other Administrative Simplification Rules Substance Use Disorder Confidentiality State Attorneys General The Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.This new enforcement authority granted to State Attorneys General by section 13410(e) of the HITECH Act will require significant coordination between OCR and SAG. OCR welcomes collaboration with SAG seeking to bring civil actions to enforce the HIPAA Privacy and Security Rules, and OCR will assist SAG in the exercise of this new enforcement authority. OCR will provide information upon request about pending or concluded OCR actions against covered entities or business associates related to SAG investigations. OCR will also provide guidance regarding the HIPAA statute, the HITECH Act, and the HIPAA Privacy, Security, and Enforcement Rules as well as the Breach Notification Rule.Learn more about the HIPAA Privacy Rule.Learn more about the HIPAA Security Rule.Read the HITECH Act.Please visit the OCR website for additional information about the Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule.HHS NotificationSAG are required by HITECH to serve HHS prior to bringing an action and include a copy of the complaint.SAG should send the required notice by mail to: General Counsel, Office of the General Counsel, HHS, 200 Independence Avenue, SW, Washington, DC 20201.Notification should be provided at least 48 hours prior to filing of action. Prior notice is not required under HITECH when it is not feasible, such as in circumstances that require immediate injunctive relief. In such cases, states should provide notice as soon as possible.SAG who are contemplating HIPAA actions should contact the appropriate OCR regional office to discuss possible actions with OCR staff. Visit the OCR regional offices for contact information. Content last reviewed December 21, 2017