State Attorneys General

The Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.

OCR is offering HIPAA Enforcement Training to help State Attorneys General and their staff use their new authority to enforce the HIPAA Privacy and Security Rules. The training course will aid State Attorneys General in investigating and seeking damages for HIPAA violations that affect residents of their states.

Learn more about the HIPAA Enforcement Training for State Attorneys General.

This new enforcement authority granted to State Attorneys General (SAG) by section 13410(e) of the HITECH Act will require significant coordination between OCR and SAG. OCR welcomes collaboration with SAG seeking to bring civil actions to enforce the HIPAA Privacy and Security Rules, and OCR will assist SAG in the exercise of this new enforcement authority. OCR will provide information upon request about pending or concluded OCR actions against covered entities or business associates related to SAG investigations. OCR will also provide guidance regarding the HIPAA statute, the HITECH Act, and the HIPAA Privacy, Security, and Enforcement Rules as well as the Breach Notification Rule.

Learn more about the HIPAA Privacy Rule.

Learn more about the HIPAA Security Rule.

Read the HITECH Act.

Please visit the OCR website for additional information about the Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule.