National Association of Attorneys General
Amendments to Health Privacy Law Grant States Enforcement Powers
The economic stimulus package, signed into law Feb. 17, grants state Attorneys General specific new enforcement authority in protecting patient privacy. Officially known as the “American Recovery and Reinvestment Act of 2009” (P.L. 111-5), the law will affect Attorneys General work directly and indirectly in several ways. The health privacy provisions are a good example. In addition to expanded enforcement authority in protecting patient privacy, the requirements that Attorneys General may now enforce changed. The law also encourages more and more use of electronic storage and transfer of health information—which means more and more instances that could give rise to violations of state and federal privacy laws.
The Health Insurance Portability and Accountability Act (HIPAA) is the federal law that requires certain individuals and organizations in the health care system to hold patients’ health information confidential. The statutory provisions and administrative rules implementing HIPAA are complex and technical, but the stimulus package tightens up and extends the prohibitions against disclosure, although not as comprehensively as some privacy groups had hoped. Three major changes stand out in the new provisions.
- One major change is that “covered entities” (health care providers, health care clearinghouses and health care plans) are now required to notify patients about breaches to their unsecured private health information.
- New provisions extend some of HIPAA’s privacy protection requirements to “business associates” of covered entities. This means that “business associates,” such as outside billers and health care consultants are directly subject to HIPAA—not simply vulnerable to contract disputes or cancellation of contracts.
- HIPAA now provides that “covered entities” and “business associates” are prohibited from selling protected health information.
For Attorneys General, Section 13421 of the stimulus bill is the provision with the most obvious impact. It authorizes state Attorneys General to take enforcement action against HIPAA violators. The new law provides:
- The Attorneys General are authorized to bring civil suit in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations.
- The Attorneys General can sue for injunctive relief, and/or for damages.
- Damages are limited to $25,000 in a calendar year, at up to $100 per violation.
- States must notify the Secretary of Health and Human Services before bringing such a suit; a pending federal suit bars any such state action.
- Attorney fees may be awarded the states. Nothing in the amended federal law may be construed to prevent a state Attorney General from exercising powers granted under state law.
The federal law preempts state law on the subject of individually identifiable health information to the extent that the state law is less stringent than the federal regime. The stimulus bill extends the preemption and its limitation to its new provisions of HIPAA. (Section 13421, applying 42 USC 1320d—7 to the new provisions). State Attorneys General will recognize that this provision follows the familiar formula characterizing the federal law as the “floor,” and state law as a higher standard. Existing HIPAA case law does not provide much guidance as to how state enforcement may develop, because almost all federal enforcement has been conducted in an administrative and collaborative setting, rather than as adversarial litigation. While it seems that HIPAA enforcement could reasonably be combined with supplemental jurisdiction state law privacy claims, it is unclear how frequently such claims will arise. It remains to be seen how state Attorneys General will make use of this new-found authority.
 42 USC § 201 et seq.
 42 U.S.C. § 1320d-5