Hipaa Hypocrisy and the Case for Enforcing Federal Privacy Standards Under State Law

JurisdictionUnited States,Federal
CitationVol. 30 No. 03
Publication year2007


HIPAA Hypocrisy and the Case for Enforcing Federal Privacy Standards Under State Law

Daniel J. Oates(fn*)

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has a right to the protection of the law against such interference or attacks.(fn1)

I. Introduction

In 1993, a Midwestern banker used his position on a county health board to gain access to the protected medical records of individuals in his community.(fn2) Using this data, he discerned which members of the community were suffering from various diseases.(fn3) He then cross-referenced the information with records from his bank and subsequently called due the mortgages of anyone suffering from cancer.(fn4)

In 1995, the daughter of a hospital employee took a list of phone numbers of patients who had recently visited the emergency room.(fn5) In what she later described as a "prank," she used the information to call several of the patients to tell them they had contracted AIDS, when in fact they had not.(fn6) Family members had to restrain one of the prankster's victims from killing herself when she heard the news.(fn7)

These stories underscore the increasing importance of personal information privacy as consumers, financial institutions, and healthcare providers confront the mounting problems associated with security breaches.(fn8) Patients' fears are far from negligible, as sixty-seven percent of Americans report being concerned about the privacy of their personal health information.(fn9) Another fifty-two percent were concerned that their health information might be used by an employer to limit job opportunities; this represents a forty-four percent increase from a similar survey only six years ago.(fn10) In that survey, nearly twenty percent of respondents believed they had been victimized by an improper disclosure,(fn11) and approximately half of those individuals believed that the disclosure resulted in personal embarrassment.(fn12)

In 1996, responding to these outrageous stories and mounting public concern, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA, or the "Act").(fn13) The Act creates national standards for the retention, storage, transmission, and exchange of personal healthcare information.(fn14) The new law replaces a menagerie of state and federal laws which had been ineffectually cobbled together to protect healthcare information.(fn15) The Act also delegates authority to the Secretary of Health and Human Services (HHS) to promulgate standards so that healthcare providers may transmit confidential health information electronically.(fn16) However, the ease and efficiency of electronic transmission has only exacerbated concerns about the security of health information.(fn17) To address these concerns, Congress included penalties in the Act for wrongful disclosure of protected health information.(fn18)

On its face, the statute seemingly provides powerful protections for individuals whose information is wrongfully disclosed.(fn19) Potential penalties include fines of up to $250,000 and ten years in prison.(fn20) However, judicial and administrative interpretations of the statute have all but gutted the privacy provision, making it essentially a dead letter.(fn21) Courts have consistently denied a private right of action to consumers against individuals who wrongfully disclose or obtain their private information.(fn22) Instead, courts force patients to rely on a complaint-investigation process administered by the Office of Civil Rights (OCR). However, OCR only investigates the actions of healthcare providers and does nothing to compensate patients injured by wrongful disclosures.(fn23) Consequently, individuals who have their HIPAA privacy rights violated have few, if any, options to seek a remedy.

This Comment argues that patients and privacy rights advocates should avoid direct litigation under the HIPAA statute. Instead, plaintiffs should focus their efforts on applying the standards mandated by the statute to the common law tort of intrusion upon seclusion. Protecting personal health information has become too important for further delay. Until Congress fills the gaps in HIPAA's privacy protections by enacting uniform comprehensive privacy legislation, state courts should use their interpretive powers to apply the standards mandated by HIPAA to the common law tort of intrusion upon seclusion.

Part II of this Comment summarizes the background of the HIPAA statute as an attempted solution to the privacy problem described above, including its legislative history and HHS promulgation of administrative rules. Next, Part III addresses the agency-imposed limitations on the scope of the statute. The Secretary's decision to rely solely on an administrative complaint process, combined with the government's narrow interpretation of the statute granting third parties immunity from penalties, has undermined enforcement of the privacy provision. Accordingly, Part IV discusses previous attempts to circumvent the administrative limitations by creating a private right of action and the reasons these attempts have failed. Finally, Part V argues for a new approach, utilizing the common law tort of inclusion upon seclusion. This approach incorporates the benefits of a private right of action with the standards of the privacy provisions in the HIPAA statute.

II. Congressional and Administrative Development of HIPAA Privacy Rules

HIPAA is the congressional response to the need for a uniform national policy regarding the administration and distribution of healthcare information.(fn24) By creating uniform standards for the transmission and exchange of healthcare information, both physically and electronically, Congress sought to increase the quality of healthcare and the efficiency of the national healthcare system.(fn25) The Act was not a minor undertaking and industry experts estimated that the cost of developing the regulatory scheme would be quite substantial.(fn26) The privacy provision in the statute was included in response to concerns that the Act would substantially increase the ease of access to confidential healthcare information.(fn27) Due to the complexity of the administration of healthcare information, and the potential for unintended consequences if the rules were overly broad, Congress created very general standards for accountability and punishment.(fn28) To address the lack of specificity in the Act, Congress requested recommendations for further changes from the Secretary of HHS.(fn29) When Congress did not act on those recommendations, HHS started over and created a new framework for the HIPAA privacy protections.(fn30) Pursuant to the congressional mandate, HHS spent three years accumulating public comments and other recommendations for the implementation of the final set of rules.(fn31) The task pitted the business goal of efficient use of healthcare technology against the privacy concerns expressed by individuals and other advocacy groups.(fn32) In response to the agency's request for public commentary on its proposed rules, more than 52,000 comments were received.(fn33) The resulting regulations promulgated by the agency purport to maintain strong protections for the privacy of individually identifiable health information.(fn34) However, the practical application of the rules has left much to be desired.(fn35)

III. Administrative Limitations have Unreasonably Diluted the Privacy Rule by Narrowly Construing the Scope of the Statute

Although the statute and regulations appear to contain some teeth, HHS curtailed any bite in the privacy rules by narrowly interpreting the scope of the statute in two ways. First, HHS limited enforcement of the privacy provision to an administrative complaint process in lieu of private citizen suits.(fn36) The Secretary decided to rely on administrative enforcement in order to emphasize voluntary compliance with the new regulatory scheme.(fn37) The deadline selected for complete compliance was April 14, 2003, nearly seven years after the enactment of the original HIPAA statute by Congress.(fn38) At that time, enforcement rules took effect and individuals could begin filing complaints.(fn39) Since implementation of the complaint process, the system has proved unworkable.(fn40) HHS delegated authority over investigations and sanctions to OCR,(fn41) and although consumers filed 22,664 complaints between April 2003 and September 2006, OCR investigated only 5,400 complaints, and imposed no civil penalties.(fn42) In addition, although OCR has referred over three hundred complaints to the Department of Justice (DOJ) for further investigation and potential criminal charges,(fn43) to date there have been no trials resulting in a conviction,(fn44) only two guilty pleas,(fn45) and two recent indictments.(fn46) Although the pleas may seem to be a step in the right direction, HHS's subsequent policy change, discussed below, has tempered the apparent victories.(fn47)

Second, based on an opinion written by the Office of Legal Counsel (OLC), HHS limited penalties for improper disclosures to healthcare providers and their immediate business associates.(fn48) Had this policy change been in effect at the time of the first plea, the defendant would have been exempt from liability.(fn49)...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT