Earlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the materials used in training the state attorneys general (AGs) last year on the enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR has published video of the two-day training sessions along with the slides presented to AGs. A review of the training materials show that the state AGs were trained on the following:

  • state enforcement of HIPAA/HITECH;
  • the HIPAA Privacy Rule;
  • the HIPAA Security Rule;
  • the impact of HITECH;
  • federal enforcement of HIPAA/HITECH;
  • investigation and prosecution of potential violations of HIPAA/HITECH;
  • preemption of state law; and
  • resources for HIPAA enforcement.

The training sessions discuss the issues that were identified by OCR in the first full year of HITECH’s implementation, including impermissible uses and disclosures; administrative, physical and technical safeguards; access to protected health information; compliance with minimum necessary requirements; and patient complaints. These issues are consistent with those raised by the OCR in working with our clients. The training confirms that the AGs are expected to place increased scrutiny on healthcare providers for privacy violations. Healthcare providers and other covered entities are encouraged to ensure compliance with HIPAA/HITECH, including review and enhancement of privacy policies and procedures.