HIPAA Final Rule: Enforcement by State Attorneys General

February 26, 2013.  Today, we examine the HIPAA Rules enforcement role established by the HITECH Act for State attorneys general as modified in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

As of February 18, 2009, Section 13410(e) of the HITECH Act granted State attorneys general the authority to enforce HIPAA Rules by bringing civil actions on behalf of State residents in federal district court.  In the July 14, 2010, Notice of Proposed Rule Making (NPRM) that was finalized in the January 25, 2013, Final Rule, the Department of Health and Human Services (HHS) noted:  “we clarify that we are not issuing regulations with respect to the new authority of the State Attorneys General to enforce the HIPAA Rules.”  75 Federal Register 40870

The HITECH Act Section 13410(e)(1) provisions describe the role of State attorneys general for enforcement of HIPAA Rules. Section 13410, Improved Enforcement of the HITECH Act provided in subsection (e) for Enforcement Through State Attorneys General.  Here is the statutory language for provisions in (1) at 123 STAT. 274-275:

“(1) In General.—Section 1176 of the Social Security Act (42 USC 1320d-5) is amended by adding at the end the following new subsection:

‘(d) Enforcement by State Attorneys General.—

‘(1) Civil Action.—Except as provided in subsection (b), in any case in which the attorney general of a State has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision of this part, the attorney general of the State, as parens patriae, may bring a civil action on behalf of such residents of the State in a district court of the United States of appropriate jurisdiction—

‘(A) to enjoin further such violation by the defendant; or

‘(B) to obtain damages on behalf of such residents of the State, in an amount equal to the amount determined under paragraph (2).

‘(2) Statutory Damages.—

‘(A) In General.—For purposes of paragraph (1)(B), the amount determined under this paragraph is the amount calculated by multiplying the number of violations by up to $100.  For purposes of the preceding sentence, in the case of a continuing violation, the number of violations shall be determined consistent with the HIPAA privacy regulations (as defined in section 1180(b)(3)) for violations of subsection (a).

‘(B) Limitation.—The total amount of damages imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

‘(C) Reduction of Damages.—In assessing damages under subparagraph (A), the court may consider the factors the Secretary may consider in determining the amount of a civil money penalty under subsection (a) under the HIPAA privacy regulations.

‘(3) Attorney Fees.—In the case of any successful action under paragraph (1), the court, in its discretion, may award the costs of the action and reasonable attorney fees to the State.

‘(4) Notice to the Secretary.—The State shall serve prior written notice of any action under paragraph (1) upon the Secretary with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately after instituting such action.  The Secretary shall have the right—

‘(A) to intervene in the action;

‘(B) upon so intervening, to be heard on all matters arising therein; and

‘(C) to file petitions for appeal.

‘(5) Construction.—For purposes of bringing any civil action under paragraph (1), nothing in this section shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State.

‘(6) Venue; Service of Process.—

‘(A) Venue.—Any action brought under paragraph (1) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

“(B) Service of Process.—In an action brought under paragraph (1), process may be served in any district in which the defendant—

‘(i) is an inhabitant; or

‘(ii) maintains a physical place of business.

‘(7) Limitation on State Action While Federal Action is Pending.—If the Secretary has instituted an action against a person under subsection (a) with respect to a specific violation of this part, no State attorney general may bring an action under this subsection against the person with respect to such violation during the pendency of that action.

‘(8) Application of CMP Statute of Limitations.—A civil action may not be instituted with respect to a violation of this part unless an action to impose a civil money penalty [CMP] may be instituted under subsection (a) with respect to such violation consistent with the second sentence of section 1128A(c)(1).’”

The following discussion about a modification to 45 CFR 160.310(c)(3), adopted in the Final Rule, is relevant to the enforcement role of State attorneys general [78 Federal Register 5579]:

“Section 160.310 requires that covered entities make information available to and cooperate with the Secretary during complaint investigations and compliance reviews. Section 160.310(c)(3) provides that any protected health information obtained by the Secretary in connection with an investigation or compliance review will not be disclosed by the Secretary, except as necessary for determining and enforcing compliance with the HIPAA Rules or as otherwise required by law. In the proposed rule, we proposed to modify this paragraph to also allow the Secretary to disclose protected health information if permitted under the Privacy Act at 5 U.S.C. 552a(b)(7). Section 5 U.S.C. 552a(b)(7) permits the disclosure of a record on an individual contained within a government system of records protected under the Privacy Act to another agency or instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law and if the agency has made a written request to the agency that maintains the record. The proposed change would permit the Secretary to coordinate with other law enforcement agencies, such as the State Attorneys General pursuing civil actions to enforce the HIPAA Rules on behalf of State residents pursuant to section 13410(e) of the Act….

“To facilitate cooperation between the Department and other law enforcement agencies, the final rule adopts the modifications to 45 CFR 160.310(c)(3) as proposed in the NPRM [referenced earlier in this posting]. Further, the Department will be working closely with State Attorneys General to coordinate enforcement in appropriate cases, as provided under section 13410(e) of the HITECH Act. The Department will continue to update its web site as necessary and appropriate to maintain transparency with the public and the regulated community about these coordinated activities and its other enforcement actions and activities.”

The just referenced Web Site, entitled State Attorneys General, provides the following information:

“This new enforcement authority granted to State Attorneys General (SAG) by section 13410(e) of the HITECH Act will require significant coordination between OCR and SAG.  OCR welcomes collaboration with SAG seeking to bring civil actions to enforce the HIPAA Privacy and Security Rules, and OCR will assist SAG in the exercise of this new enforcement authority.  OCR will provide information upon request about pending or concluded OCR actions against covered entities or business associates related to SAG investigations. OCR will also provide guidance regarding the HIPAA statute, the HITECH Act, and the HIPAA Privacy, Security, and Enforcement Rules as well as the Breach Notification Rule.”

A companion Web site, entitled HIPAA Enforcement Training for State Attorneys General, provides the following information:

“OCR developed HIPAA Enforcement Training to help State Attorneys General and their staff use their new authority to enforce the HIPAA Privacy and Security Rules.  The training course will aid State Attorneys General in investigating and seeking damages for HIPAA violations that affect residents of their states.  Videos and slides from live training sessions conducted in 2011 are available through the OCR website.”

Tomorrow, we begin to examine modifications to the HIPAA Privacy Rule.