The Health information Technology for Clinical and Economic Health (HITECH) Act of 2009 empowered state attorneys general (AGs) to enforce HIPAA privacy and security rules. So far, four AGs have taken up the cause–in Connecticut, Indiana, Minnesota and Vermont.

More AGs may follow now that the Office for Civil Rights (OCR), the enforcing agency in the Department of Health and Human Services (HHS), has made training materials for the AGs available online. Previously, OCR conducted a nationwide live training campaign for the AGs, resulting in the four states mentioned above beginning their own enforcement efforts.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 set up the mechanism for the federal government to police leaks of personal health information (PHI) from medical records, and subsequent federal regulations put HIPAA-based privacy and security rules into place to further provide protection of medical records. HITECH expanded the effort by granting state attorneys general the power also to police breaches of health information.