States are cracking down on potential privacy and security violations they discover in health care companies: a fine and consent decree in New York will cost an Ohio eye care provider some $4.5 million, while a Georgia-based home health and hospice care company will pay $425,000 to Massachusetts.

The settlements are the latest of several recent state-level actions involving enforcement of privacy and security laws.^[1] Late last year, New Jersey officials announced two separate settlements and consent decrees: one involving two printing companies accused of failing to safeguard protected health information (PHI) and another involving a data breach at a clinic specializing in infertility.

Privacy issues are more likely to draw the attention of state-level officials “if they involve a large number of individuals or involve particularly egregious facts,” attorney Shannon Hartsfield, executive partner in Tallahassee, Florida, with Holland & Knight LLP, told RPP.

Health care privacy issues also could get state-level attention “when companies do things with data that individuals would not expect,” Hartsfield said. “The new federal information blocking prohibitions may result in a number of health-related apps and other third parties marketing directly to patients. With authorization from these patients, companies may be able to obtain sensitive health information even if they are not subject to HIPAA or certain state health privacy laws. It remains to be seen whether these entities will be subject to significant enforcement scrutiny at the state level if they do something with health data that differs from what they have promised consumers.”