State AG Authority Under HITECH
The HITECH Act of 2009 granted state attorneys general a new and significant power: the ability to bring civil actions in federal district court to enforce HIPAA on behalf of state residents. This authority is concurrent with — not instead of — OCR's enforcement authority, meaning both OCR and a state AG could potentially pursue a covered entity for the same violation. Prior to HITECH, state AGs had no direct role in HIPAA enforcement.
The state AG enforcement authority was intended to supplement federal enforcement by enlisting the resources of 50 additional enforcement agencies and by allowing states to respond more quickly and locally to breaches and violations affecting their residents.
Scope of State AG Authority
A state AG may bring a civil action in federal district court when it has reason to believe that the interests of one or more residents of the state have been or are threatened or adversely affected by any person who violates HIPAA. The AG must notify HHS prior to filing the action (or as soon as practicable thereafter in the case of an emergency), giving HHS the opportunity to intervene or to take its own enforcement action.
HHS may intervene in a state AG action and, upon intervening, may file its own complaint and remove the action to any other district court. This creates a mechanism for federal coordination of enforcement actions that span multiple states or involve nationally significant violations.
Remedies Available to State AGs
State AGs may seek the following remedies in their HIPAA enforcement actions:
- Injunctive relief — Court orders requiring the covered entity to stop the violating conduct and to implement remedial measures
- Damages on behalf of residents — Financial compensation for the harm suffered by affected state residents
- Civil penalties — Up to $25,000 per violation for all violations of an identical provision during a calendar year
- Attorneys' fees — Reasonable attorneys' fees and costs if the AG prevails
Relationship to State Privacy Laws
HIPAA sets a federal floor for health privacy protection but expressly preempts contrary state laws only to the extent the state law is less protective of individual privacy than HIPAA. State laws that provide greater privacy protections than HIPAA are not preempted. This means covered entities operating in states with stricter health privacy laws must comply with both HIPAA and the stricter state requirements simultaneously.
State AGs can enforce both state health privacy laws and HIPAA — giving them two potential legal theories for the same conduct. A covered entity that violates both HIPAA and a stricter state law may face both federal HIPAA penalties from OCR and state law remedies from the AG.
Notable State Enforcement Actions
Several states have been active in HIPAA enforcement since receiving this authority:
- Indiana (2012) — The first state AG HIPAA enforcement action, settling with Wellpoint for $100,000 over a data breach affecting nearly 32,000 Indiana residents.
- Vermont (2017) — Settled with a health system for $400,000 following a breach affecting Vermont residents, with strong requirements for security improvements.
- Multi-state actions — Several state AGs have coordinated on multi-state HIPAA enforcement actions against insurers and national healthcare organizations, demonstrating the potential for coordinated state-level pressure that rivals OCR in reach and impact.
The threat of state AG enforcement adds another compliance incentive beyond OCR: even if OCR does not pursue an investigation, a state AG in an affected state may independently investigate and pursue remedies — particularly when a breach receives significant media attention or affects a large number of state residents.