Do the staff of the state attorney's office need to comply with HIPAA?

The staff of the state attorney's office are enforcers of HIPAA and have duties that may place their staff in contact with health data. To prevent potential breaches training is required, although these organizations are not bound by the same rules as covered entities and business associates. 

How state attorneys are classified under HIPAA

State attorneys are classified under HIPAA as enforcers of compliance, particularly because of the amendments introduced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

According to an article published in Baker Donelson, “State attorneys general, thanks to changes made by the Health Information Technology for Economic and Clinical Health (HITECH) Act, are learning to wield newfound authority to bring lucrative civil actions based on violations of federal HIPAA requirements and state consumer protection and privacy laws.”

While the Department of Health and Human Services Office for Civil Rights (OCR) is responsible for the primary enforcement of HIPAA, state attorneys have been granted the authority to bring civil action on behalf of residents who have been affected. The classification allows them to pursue legal action against covered entities and business associates that fail to secure protected health information adequately. 

The policies and procedures states offices should implement to manage PHI

1. Ensure all staff members handling protected health information (PHI), like secretaries, investigators, and legal assistants, are trained in HIPAA compliance. The training should cover the legal obligations under HIPAA, how to protect PHI, and procedures for potential violations. 
2. Require all employees, contractors, and third-party vendors to sign confidentiality agreements outlining staff responsibility in handling sensitive data like PHI.
3. Develop incident response plans that outline steps to take if a breach or unauthorized access to PHI occurs. 
4. Implement secure methods for storing PHI, both electronically and physically. This may include encryption for electronic records and locked filing cabinets for paper records. 
5. Establish clear protocols for sharing PHI with other entities, although state attorneys are not covered entities, the use of HIPAA compliant email platforms is a useful tool even outside the healthcare sector. 

How to train state attorney's office staff on HIPAA compliance

As these staff members are not dealing with PHI as regularly as covered entities or business associates, training does not need to be as in-depth. It should cover the basic aspects of HIPAA and the HITECH Act. This should cover: 

• An introduction to HIPAA and its significance to patient information. 
• The Privacy Rule, including patient rights regarding PHI. 
• Discuss the Security Rule focusing on the safeguards needed to secure electronic PHI. 
• Outline the procedures for reporting breaches of PHI. 
• Develop an understanding of how to respond to potential breaches or violations. 
• Discuss the interactions between HIPAA and state laws that may provide additional protections. 

Related: HIPAA training topics for new employees

FAQs

How does HIPAA affect data sharing between state offices and local health departments? 

HIPAA allows sharing PHI between state offices and local health departments without requiring individual patient authorizations, provided the sharing is for public health purposes. 

What is the difference between the way HIPAA v. state laws govern data privacy? 

HIPAA establishes the federal baseline for the protection of PHI while state laws can provide additional protections regarding data privacy that may be stricter than HIPAA. 

How often should state attorney staff be trained in HIPAA?

State’s attorney staff should undergo HIPAA training alongside other workplace training modules at least once a year.