Two Data Security Breaches Give State Attorneys General a Chance to Exercise Their New HIPAA Powers

In a sign that state attorneys general may be flexing the HIPAA enforcement muscle granted by the HITECH Act provisions in the Recovery Act, the Connecticut and Arizona attorneys general are investigating health plans that recently experienced data breaches that they failed to disclose for several months.

Typically, state attorneys general prosecute only violations of state laws, but they now have authority to investigate and levy fines for violations of HIPAA and the HITECH Act, which requires mandatory notifications within two months of knowledge of a breach.


Specifically, the HITECH Act states that when an AG “has reason to believe that an interest of one or more of the residents of that state has been or is threatened or adversely affected by any person who violates a [privacy and security provision], the attorney general of the state…may bring a civil action on behalf of such residents of the state in a district court of the United States of appropriate jurisdiction.”

Read the full article from Report on Patient Privacy on

About the author: Dissent

Comments are closed.