Omnibus Rule Finalizes HIPAA Enforcement Authority for State Attorneys General

Omnibus Rule Finalization and Background

The HIPAA Omnibus Rule finalized and harmonized enforcement provisions introduced by the Health Information Technology for Economic and Clinical Health Act, creating a clearer pathway for state-level action alongside federal oversight. It operationalized how state attorneys general can pursue violations involving Protected Health Information while aligning processes with the HIPAA Enforcement Rule under the Administrative Simplification Standards.

By clarifying procedures, remedies, and expectations for collaboration, the Omnibus Rule reinforced a coordinated model in which federal and state authorities work in tandem. The result is a more predictable enforcement environment for covered entities and business associates that manage PHI across jurisdictions.

State Attorneys General Enforcement Authority

State attorneys general (AGs) may initiate State Resident Civil Actions in federal district court on behalf of residents affected by violations of the HIPAA Privacy and Security Rules. Available remedies include Federal Court Injunctions to halt unlawful conduct and monetary relief designed to compensate for violations of HIPAA requirements safeguarding PHI.

This public enforcement authority complements, rather than replaces, federal action by HHS. HIPAA does not create a private right of action for individuals; instead, AGs represent the interests of state residents where privacy or security failures have caused harm or heightened risk.

AG authority reaches entities subject to HIPAA, including covered entities and business associates, when conduct affects the state’s residents—even if the entity operates across state lines. This enables coordinated multistate actions in incidents with broad impact.

Coordination between State AGs and HHS

Before filing suit, AGs provide notice to HHS to encourage consultation and avoid duplicative or conflicting actions. HHS may intervene, seek to stay proceedings, or coordinate parallel efforts when cases present national implications or systemic compliance concerns.

During and after Office for Civil Rights Investigations, OCR and AGs share appropriate case information consistent with law to support referrals, joint settlement discussions, and aligned corrective measures. This collaboration promotes consistent interpretations and efficient remedies where violations span multiple states or complex health systems.

Enforcement Mechanisms and Penalties

• State AG actions: seek Federal Court Injunctions and statutory monetary relief on behalf of residents, plus costs and attorneys’ fees. Courts may also order compliance monitoring, reporting, and other equitable relief tailored to remediate risks to PHI.
• HHS/OCR actions: impose Civil Monetary Penalties and negotiate resolution agreements with corrective action plans when violations are substantiated, using a tiered framework that scales consequences with culpability and the scope of noncompliance.

The Omnibus Rule reinforced alignment with HITECH’s penalty concepts, emphasizing risk-based enforcement. Prompt detection, containment, and remediation can mitigate exposure, while willful or repeated noncompliance invites higher sanctions in both forums.

Role of the Office for Civil Rights

OCR is the primary federal enforcer of HIPAA. It receives complaints, initiates Office for Civil Rights Investigations, conducts audits, and issues findings. Many matters are resolved through voluntary compliance and corrective action plans; where warranted, OCR assesses Civil Monetary Penalties.

OCR also supports state attorneys general through guidance, training, and technical assistance, helping align investigative approaches, evidence standards, and remedial measures in complex or multijurisdictional cases.

Disclosure of PHI to State Authorities

HIPAA permits disclosures of Protected Health Information to state authorities in defined circumstances, subject to the minimum necessary standard:

• Required by law: when a statute or regulation compels disclosure.
• Health oversight activities: for investigations or audits of health care systems or programs.
• Law enforcement purposes: in response to lawful process and applicable conditions.
• Judicial and administrative proceedings: with a court order, subpoena, or discovery request subject to appropriate safeguards.
• Public health and serious threat exceptions: when expressly allowed to protect health or safety.

Covered entities should confirm the legal basis, limit disclosures to what is necessary, and document responses. Business associates must support such disclosures when directed by the covered entity and permitted by their agreements.

Comparison with OCR and CMS Enforcement Roles

OCR focuses on the HIPAA Privacy, Security, and Breach Notification Rules, including investigations, corrective action plans, and Civil Monetary Penalties. The Centers for Medicare & Medicaid Services (CMS) enforces HIPAA Administrative Simplification Standards governing electronic transactions, code sets, and unique identifiers, as well as related operating rules.

Practically, privacy or security incidents are typically handled by OCR (and, where appropriate, state AGs), while noncompliance with electronic transaction standards is addressed by CMS. Together, these roles create a unified framework: robust federal oversight, empowered state enforcement, and clear expectations for entities handling PHI.

FAQs.

What authority does the omnibus rule grant to state attorneys general?

It finalized and operationalized the HITECH Act’s grant of authority, allowing state attorneys general to bring civil actions in federal court for HIPAA Privacy and Security violations, seek Federal Court Injunctions, and pursue monetary relief on behalf of affected state residents, subject to notice and coordination with HHS.

How do state attorneys general coordinate with HHS for HIPAA enforcement?

AGs provide pre-suit notice to HHS, enabling consultation and the possibility of HHS intervention. Throughout a case, OCR and AGs coordinate investigations, share appropriate information consistent with law, and align corrective measures to prevent duplication and ensure consistent outcomes.

What penalties can state attorneys general seek under the omnibus rule?

State attorneys general can seek injunctive relief and statutory monetary damages calculated on a per-violation basis, subject to aggregate caps, along with costs and attorneys’ fees. Separately, OCR may impose Civil Monetary Penalties or require corrective action plans in its own proceedings.

How does the OCR support state attorneys general investigations?

OCR supports AG investigations through guidance, training, and technical assistance, shares appropriate investigative information, and coordinates remedies. OCR’s findings and resolution tools—such as corrective action plans—often complement state actions to produce comprehensive, consistent compliance outcomes.