Ind. Code § 24-4.9-3-3.5
(a) Except as provided in subsection (b), this section does not apply to a data base owner that maintains its own data security procedures as part of an information privacy, security policy, or compliance plan under:
(6) the federal Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191);
if the data base owner's information privacy, security policy, or compliance plan requires the data base owner to maintain reasonable procedures to protect and safeguard from unlawful use or disclosure personal information of Indiana residents that is collected or maintained by the data base owner and the data base owner complies with the data base owner's information privacy, security policy, or compliance plan.
(b) This section applies to a current or former health care provider (as defined by IC 4-6-14-2 ) who is a data base owner or former data base owner:
(2) whose information privacy, security policy, or compliance plan:
(B) is not implemented by the data base owner or former data base owner;
to ensure that the personal information described in subsection (a), including health records (as defined by IC 4-6-14-2.5 ), is protected and safeguarded from unlawful use or disclosure after the data base owner or former data base owner ceases to be a covered entity under the federal Health Insurance Portability and Accountability Act (P.L. 104-191).
(f) The attorney general may bring an action under this section to obtain any or all of the following:
(3) The attorney general's reasonable costs in:
As added by P.L.137-2009, SEC.5. Amended by P.L.76-2017, SEC.4.