When I spoke to Jacqueline Klosek, an attorney in the law firm of Goodwin Procter, she added some interesting thoughts on the new era of agressive enforcement that may be coming, in light of the HITECH Act. Earlier, I also spoke to Kelly Hagan on the HIPAA compliance implications of the HITECH Act, which was signed into law as part of the American Recovery and Reinvestment Act (ARRA) in February.

Klosek says one of the most signficant changes is the expanded opportunity for state attorneys general to get involved in enforcement. Especially for those businesses that operate in several states, the change could make compliance even more complex.

Those companies won't be able to just say, 'OK, this is how the federal authorities are interpreting it and enforcing it.' They'll also have to say, 'This is how state authorities are interpreting it and enforcing it.' And it may be different from state to state. The base law will be the same, but there's certainly some flexibility in how it's interpreted.

Theoretically, then, companies could be subject to state enforcement and federal enforcement proceedings or penalties at the same time.

Klosek also notes that the penalty provisions are effective immediately. "They've expanded the monetary penalties that are possible, and there's a new tiered structure that will depend on the nature and frequency of the neglect," she says.

Sara Krauss, an associate with the law firm of Proskauer Rose also weighed in on the HITECH Act's enforcement provisions. In a phone call last week, she said:

Currently the Department of Justice has authority to enforce criminal penalties under HIPAA. The HITECH Act clarifies that if there is actual criminal activity but the DOJ declines to pursue it, the Department of Health and Human Services Office of Civil Rights can then pursue civil remedies against the same company for violations arising out of the criminal activity.