State Attorneys General

The Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.

This new enforcement authority granted to State Attorneys General by section 13410(e) of the HITECH Act will require significant coordination between OCR and SAG.  OCR welcomes collaboration with SAG seeking to bring civil actions to enforce the HIPAA Privacy and Security Rules, and OCR will assist SAG in the exercise of this new enforcement authority.  OCR will provide information upon request about pending or concluded OCR actions against covered entities or business associates related to SAG investigations. OCR will also provide guidance regarding the HIPAA statute, the HITECH Act, and the HIPAA Privacy, Security, and Enforcement Rules as well as the Breach Notification Rule.

HHS Notification

SAG are required by HITECH to serve HHS prior to bringing an action and include a copy of the complaint.

SAG should send the required notice by mail to: General Counsel, Office of the General Counsel, HHS, 200 Independence Avenue, SW, Washington, DC 20201.

Notification should be provided at least 48 hours prior to filing of action. Prior notice is not required under HITECH when it is not feasible, such as in circumstances that require immediate injunctive relief. In such cases, states should provide notice as soon as possible.

SAG who are contemplating HIPAA actions should contact the appropriate OCR regional office to discuss possible actions with OCR staff. Visit the OCR regional offices for contact information.