A Timely Right to Privacy
| Author | Stacey A. Tovino |
| Position | Judge Jack and Lulu Lehman Professor of Law and Founding Director, Health Law Program, William S. Boyd School of Law, University of Nevada, Las Vegas |
| Pages | 1361-1420 |
1361
A Timely Right to Privacy
Stacey A. Tovino*
ABSTRACT: On December 28, 2017, the federal Department of Health and
Human Services (“HHS”) settled its fiftieth case involving potential
violations of the privacy, security, and breach notification rules (“Rules”)
that implement the Health Insurance Portability and Accountability Act
(“HIPAA”) and the Health Information Technology for Economic and
Clinical Health Act (“HITECH”). This Article catalogues and examines
currently available enforcement actions involving the HIPAA and HITECH
Rules, including the cases in which HHS has entered into a settlement
agreement with a HIPAA covered entity or business associate, the cases in
which HHS has imposed a civil money penalty on a HIPAA covered entity,
and the cases in which a state attorney general has entered into a settlement
agreement or consent judgment with a HIPAA covered entity or business
associate.
This Article finds that HHS and state attorneys general focus their settlement
and penalty efforts on cases involving groups of patients and insureds,
leaving individuals whose privacy and security rights have been violated out
of the enforcement spotlight. This Article also shows that the execution of
settlement agreements and the imposition of civil money penalties takes a
considerable amount of time—more than seven years in some cases—resulting
in a lack of timely attention to the privacy and security rights of both groups
and individuals. Finally, this Article reveals that the corrective action
required by HHS in cases that do not reach the settlement or penalty phase,
when that information is made publicly available, tends to be prospective in
nature. Although prospective action helps safeguard future rights, it does little
to remedy past harms. Arguing that HITECH’s improved enforcement
provisions do little to support individual rights to privacy and security, this
*
Judge Jack and Lulu Lehman Professor of Law and Founding Director, Health Law
Program, William S. Boyd School of Law, University of Nevada, Las Vegas. I thank Daniel
Hamilton, Dean, William S. Boyd School of Law, for his generous financial support of the
research project on which this featured address is based. I also thank Nadia Sawicki, Georgia
Reithal Professor of Law and Academic Director, Beazley Institute for Health Law and Policy,
Loyola University Chicago School of Law, and the organizers and participants of t he Eleventh
Annual Beazley Symposium on Health Law and Policy (“Privacy, Big Data, and the Demands of
Providing Quality Patient Care”) for their comments and suggestions on the ideas present ed at
the symposium and in this Article.
1362 IOWA LAW REVIEW [Vol. 104:1361
Article proposes three new federal regulations. If adopted by HHS, these
regulations will improve the ability of individuals to enforce their rights under
the HIPAA Rules and reduce the time frame within which enforcement takes
place.
I. INTRODUCTION ........................................................................... 1362
II.SUMMARY OF THE HIPAA PRIVACY RULE .................................... 1367
III.RESEARCH FINDINGS ................................................................... 1374
A.NUMBER OF AFFECTED INDIVIDUALS IN CASES SELECTED
FOR SETTLEMENT OR PENALTY ............................................... 1374
1.HHS Settlement Agreements ..................................... 1377
2.HHS Civil Money Penalties ......................................... 1379
3.State Attorney General Enforcement ........................ 1381
4.HHS Corrective Action in Non-Settlement
and Non-Penalty Cases ................................................ 1383
B.TIMELINESS AND NATURE OF ENFORCEMENT ........................... 1384
1.HHS Settlement Agreements ..................................... 1384
2.HHS Civil Money Penalties ......................................... 1388
3.HHS Corrective Action in Non-Settlement
and Non-Penalty Cases ................................................ 1390
IV. A QUI TAM PROCESS ................................................................... 1393
V.A PRIVATE RIGHT OF ACTION ..................................................... 1397
VI.EXCLUSION AUTHORITY ............................................................. 1401
VII. CONCLUSION .............................................................................. 1404
APPENDIX A: HHS SETTLEMENT AGREEMENTS AND
CORRECTIVE ACTION PLANS ........................................................ 1407
APPENDIX B: HHS CIVIL MONEY PENALTY CASES ....................... 1417
APPENDIX C: STATE ATTORNEY GENERAL ENFORCEMENT
ACTIONS ...................................................................................... 1418
I. INTRODUCTION
Consider a hypothetical involving a patient who is under the care of a
local physician. The physician, who has not received any privacy or security
training, downloads malicious software (“malware”) that disseminates the
2019] A TIMELY RIGHT TO PRIVACY 1363
patient’s electronic protected health information (“ePHI”)1 in violation of the
Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule.2
When the patient learns that her sensitive ePHI has been disclosed without
her authorization, she informs the physician that she is leaving his practice to
seek care under a new provider. The patient requests a paper copy of her
medical record, which she plans to give to her new provider. In violation of
the HIPAA Privacy Rule, the physician refuses to give the patient a paper copy
of her medical record.3 The physician then discards the patient’s paper
medical record in a dumpster located behind the physician’s clinic, violating
the HIPAA Privacy Rule for a third time.4
Although hypothetical, the facts above are based on several cases in which
the federal Department of Health and Human Services (“HHS”) and state
attorneys general have entered into settlement agreements or consent
judgments with, or imposed civil money penalties on, covered entities and
1. Electronic protected health information (“ePHI”) is “individually identifiable health
information” that is “transmitted by electronic media” or “maintained in electronic media.”
45 C.F.R. § 160.103 (2017).
Individually identifiable health information is information that . . . :
(1) Is created or received by a health care provider, health plan, employer, or health
care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of
an individual; the provision of health care to an individual; or the past, present, or
future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can
be used to identify the individual.
Id. (emphasis omitted).
2. The HIPAA Privacy Rule is a set of federal regulations that governs covered entities and
business associates with respect to their uses and disclosures of protected health information.
See id. §§ 164.500–.534 (codifying the HIPAA Privacy Rule). The terms “covered entity” and
“business associate” are defined infra notes 36 and 41, respectively. Protected health information
(“PHI”) is “individually identifiable health information . . . that is . . . [t]ran smitted by electronic
media[,] . . . [m]aintained in electronic media[,] or . . . [t]ransmitted or maintained in any other
form or medium.” Id. § 160.103. Among other obligations, the HIPAA Privacy Rule requires
covered entities and business associates to have in place appropriate technical “safeguards to
protect the privacy of [PHI]” and to “reasonably safeguard [PHI] from . . . intentional
[and] unintentional use[s] [and] disclosure[s] that . . . violat[e]” the HIPAA Privacy Rule.
Id. § 164.530(c)(1)–(2).
3. See id. § 164.524(a)(1) (requiring (in most cases) covered entities to provide individuals
with copies of their medical records, billing records, and other PHI that is maintained in a
designated record set, if requested); id. § 164.501 (defining “designated record set” as “[a] group
of records maintained by or for a covered entity,” including within that definition medical
records, billing records, enrollment records, payment records, claims adjudication records, and
other records that are “[u]sed, in whole or in part, by or for [a] covered entity to make decisions
about individuals”).
4. See id. § 164.530(c)(1) (requiring covered entities to “have in place appropriate
. . . physical safeguards to protect the privacy of [PHI]”).
To continue reading
Request your trial