Kim Singletary is Director of Technical Solution Marketing at McAfee. Singletary has more than15 years of experience ...
In the past, I talked about how HITECH gave a boost to HIPAA compliance by allowing state attorney generals to bring civil actions for alleged violations of HIPAA Privacy and Security on behalf of state residents. HITECH also mandates direct reporting of breaches that result in over 500 patient records to the Federal Government. In addition, state attorney generals can now refer to information on the HHS breach notification site to conduct their own investigations on behalf of their residents.
The US HHS has training online for state attorney generals to help them understand HIPAA and identify possible ePHI breaches. Direction is given for attorney generals to look for HIPAA violations in local news stories, resident complaints, and of course current civil and criminal caseloads. In some states, Connecticut being one, breach notification has even been amended to bypass this run-around as of October 1, 2012 by requiring notification before or at the time of patient notification. This notification holds not only to in-state providers and businesses, but any business in any state that holds private records for Connecticut residents.
I expect to see more states amend their notification laws in the future, so businesses and providers that hold ePHI or private data must report a data breach to both the Federal Government and the state attorney general.