Is HIPAA meaningful? For a long time, the answer to that question was arguably no. The date for compliance with the privacy rules was April 14, 2003, and the date for compliance with the security rule was two years later (the HIPAA Wikipedia entry has a good summary of this history). Nevertheless, it wasn't until 2007 that the first HIPAA audit took place (see here), and the lack of enforcement led many to believe that HIPAA was basically toothless (see, e.g., here).
Now though, that may be changing. One of the notable features of the HITECH act was that it gave state attorneys general the right to file suit on behalf of state residents who have been harmed by a HIPAA violation (the text of the act can be found here). Since then, the attorney general of Connecticut has taken advantage of that new authority, and filed suit against Health Net Connecticut, Inc. for HIPAA violations (among other things). The press release is here, and the complaint can be found here. Does this herald a new era of aggressive HIPAA enforcement? I tend to think not. The HITECH act limits the amount of damages recoverable by attorneys general to $25,000 per calendar year for violations of any individual requirement or prohibition, so HIPAA enforcement isn't going to be a panacea for states which already have limited enforcement budgets. On the other hand, there has already been one suit, and if an attorney general is already thinking about bringing an action (e.g., under some applicable state law), the extra HIPAA recovery could make the difference in whether a suit is brought. Either way though, with the Connecticut attorney general's action, the era of absent HIPAA enforcement is officially closed.