Watch for interstate patients and enforcement

Because HIPAA can be enforced by state attorneys general and not just the feds, risk managers should study any interstate connections that could come into play if there is a privacy breach, advises Christine G. Leyden, RN, MSN, vice president and general manager for client services, and chief accreditation officer with URAC, an independent, nonprofit organization in Washington, DC, that promotes health care quality through its accreditation and certification programs.

A large hospital system may serve consumers from different states, for instance, and that would expose the provider to enforcement action from all of those states, Leyden says. Furthermore, it is important to know exactly where in that state the patient lives, because the attorney general in one may handle HIPAA cases differently than the attorney general in another.

This strategy may be new to many risk managers, who are used to dealing only with their own state authorities. The significant penalties available under HITECH may make interstate enforcement appealing to attorneys general, Leyden says, and each attorney general has a different style and history of enforcement.

"Depending on the attorney general in . . . that state, you may have a very different experience when there is a breach," she says. "You may want to draw up a road map showing where your patients are from and contact that attorney general for guidance, and attend any meetings or advisory groups they offer as they roll out their enforcement."


For more information on state authorities enforcing HIPAA, contact:

• Christine G. Leyden, RN, MSN, Vice President, General Manager for Client Services, Chief Accreditation Officer, URAC, Washington, DC. Telephone: (202) 216-9010.