the Law, the Universe, and Everything 

Search

Concurring Opinions is a
general-interest legal blog
operated by Concurring
Opinions LLC, a Pennsylvania
Limited Liability Corporation.

lr_jkr9_12_08supremecourt.jpg

ad-logo5.jpg

Our Podcast

Subscribe to Law Talk

Law-Rev-Forum-2.jpg

law-rev-contents2.jpg

Law-Prof-Blog-Census.jpg

Categories

Accounting
Administrative Announcements
Administrative Law
Admiralty
Advertising
Agricultural Law
Anonymity
Antitrust
Architecture
Articles and Books
Bankruptcy
Behavioral Law and Economics
Bioethics
Blogging
Book Reviews
Capital Punishment
Civil Procedure
Civil Rights
Conferences
Constitutional Law
Consumer Protection Law
Contract Law & Beyond
Corporate Finance
Corporate Law
Criminal Law
Criminal Procedure
Culture
Current Events
Cyberlaw
DRM
Economic Analysis of Law
Education
Empirical Analysis of Law
Employment Law
Environmental Law
Estates and Trusts
Evidence Law
Family Law
Feminism and Gender
First Amendment
Food
Google & Search Engines
Health Law
History of Law
Humor
Immigration
Insurance Law
Intellectual Property
International & Comparative Law
Interviews
Jurisprudence
Law and Humanities
Law and Inequality
Law and Psychology
Law Practice
Law Professor Blogger Census
Law Rev (Boston College)
Law Rev (Boston University)
Law Rev (California)
Law Rev (Chicago)
Law Rev (Columbia)
Law Rev (Cornell)
Law Rev (Duke)
Law Rev (Emory)
Law Rev (Fordham)
Law Rev (Georgetown)
Law Rev (GW)
Law Rev (Harvard)
Law Rev (Illinois)
Law Rev (Indiana)
Law Rev (Iowa)
Law Rev (Michigan)
Law Rev (Minnesota)
Law Rev (Northwestern)
Law Rev (Notre Dame)
Law Rev (NYU)
Law Rev (Penn)
Law Rev (S Cal)
Law Rev (Stanford)
Law Rev (Texas)
Law Rev (UCLA)
Law Rev (Vanderbilt)
Law Rev (Virginia)
Law Rev (Wash U)
Law Rev (Wm & Mary)
Law Rev (Yale)
Law Rev Contents
Law Rev Forum
Law School
Law School (Hiring & Laterals)
Law School (Law Reviews)
Law School (Rankings)
Law School (Scholarship)
Law School (Teaching)
Law Student Discussions
Law Talk
Legal Ethics
Legal Theory
Media Law
Movies & Television
Philosophy of Social Science
Politics
Privacy
Privacy (Consumer Privacy)
Privacy (Electronic Surveillance)
Privacy (Gossip & Shaming)
Privacy (ID Theft)
Privacy (Law Enforcement)
Privacy (Medical)
Privacy (National Security)
Property Law
Race
Religion
Reparations
Science Fiction
Second Amendment
Securities
Social Network Websites
Sociology of Law
Supreme Court
Tax
Teaching
Technology
Tort Law
Web 2.0
Weird
Wiki
Wills, Trusts, and Estates

Archives

October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
August 2005
July 2005
June 2005
May 2005

 

« The Problem of the 28th Amendment | Main | Grutter redo? »

June 05, 2006

HIPAA's Lax Enforcement

posted by Daniel J. Solove

hipaa3.gifToday's Washington Post has an interesting story about how the privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA) are not being enforced:

In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases.

Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records.

The government has "closed" more than 73 percent of the cases -- more than 14,000 -- either ruling that there was no violation, or allowing health plans, hospitals, doctors' offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty.

"Our first approach to dealing with any complaint is to work for voluntary compliance. So far it's worked out pretty well," said Winston Wilkinson, who heads the Department of Health and Human Services' Office of Civil Rights, which is in charge of enforcing the law.

While praised by hospitals, insurance plans and doctors, the approach has drawn strong criticism from privacy advocates and some health industry analysts. They say the administration's decision not to enforce the law more aggressively has not safeguarded sensitive medical records and has made providers and insurers complacent about complying.

The lax enforcement of HIPAA could be addressed if HIPAA were to have a private right of action. Currently, HIPAA doesn't provide a way for individuals to sue for privacy violations. HIPAA would be more effective with a private right of action, which would prevent enforcement from being stymied whenever an agency isn't interested in enforcing a law. The Bush Administration has little love for the HIPAA privacy regulations, which it tried to kill when it took over power from the Clinton Administration. Instead of killing HIPAA, the Bush Administration rewrote parts of the regulations, weakening them significantly. And now, the strategy seems to be to let the HIPAA regulations sink into irrelevance.

Posted by Daniel J. Solove at June 5, 2006 12:12 PM

Trackback Pings

TrackBack URL for this entry:
http://www.concurringopinions.com/movabletype/mt-tb.cgi/924.

Comments

Or maybe patient privacy complaints have more to do with service or outcome gripes than with real privacy breaches.

Or maybe the HHS/Bushies understand that our medical costs are high enough without the cost of dealing with private-right nuisance suits, especially when compared to the aggregate benefits of such a right. Remember, all the "savings" from HIPAA are from transaction code sets, not privacy regs.

Posted by: Indian Chief at June 5, 2006 03:16 PM


It's true that many if not most complaints are related to service or outcome. And it's almost certainly true that a private right of action would increasee health care costs.

But if genuine and serious privacy violations are so rare, then enforcing the law in these cases should be relatively cost-effective and efficient. And there would be not-insignificant deterrent effects. Instead, we appear to have an enforcement scheme tilted entirely toward industry, with no incentive to comply. Where's the protection against your health plan leaking information to your employer? Or your hospital letting loose your identifying information via the kind of slip-up we saw with the VA? If we're accepting promises to "do better" as the only remedy, then the HIPAA Privacy Rule might as well not exist.

Posted by: mrshl at June 5, 2006 08:43 PM


Post a comment




Remember Me?

(you may use HTML tags for style)

Authors

Daniel J. Solove

Website
Understanding Privacy

Kaimipono Wenger

Website
SSRN Page

Dave Hoffman

Website
SSRN Page

Nate Oman

Website
SSRN Page

Frank Pasquale

Website
SSRN Page

Deven Desai

Website
SSRN Page

Michael O'Shea

Website
SSRN Page

Sarah Waldeck

Website
SSRN Page

Lawrence Cunningham

Website
SSRN Page

Danielle Citron

Website
SSRN Page

Jaya Ramji-Nogales

Website
SSRN Page


Guests

Robert Ahdieh
Neil H. Buchanan
Miriam Cherry
Susan Kuo
Jonathan Lipson
Paul Ohm
Geoffrey Rapp
Susan Scafidi
Howard Wasserman
Timothy Zick






ad-logo3.jpg

blawg100_winner2.jpg

Previous Guests

Michael Abramowicz
Michelle Adams
Robert Ahdieh
Michelle Anderson
Laura Appleman
Francesca Bignami
Jeremy Blumenthal
Bruce Boyden
Donald Braman
Al Brophy
Bill Burke-White
Scott Burris
Anupam Chander
Miriam Cherry
Jack Chin
Jennifer Collins
Allison Danner
Brannon Denning
Deven Desai
Mike Dimino
Christine Haight Farley
Kim Ferzan
Dan Filler
Amanda Frost
Timothy Glynn
Rachel Godsil
Eric Goldman
Craig Green
Jeffrey Harrison
Erica Hashimoto
Carissa Hessick
Laura Heymann
Christine Hurt
Darian Ibrahim
Dan Kahan
Sam Kamin
Heidi Kitrosser
Adam Kolber
Russell Korobkin
Anita S. Krishnakumar
Greg Lastowka
Sarah Lawsky
Erik Lillquist
Jeff Lipshaw
Joseph Liu
Solangel Maldonado
Jason Mazzone
William McGeveran
Salil Mehra
Carrie Menkel-Meadow
Max Minzner
Scott Moss
Eric Muller
Jaya Ramji-Nogales
Elizabeth Nowicki
Paul Ohm
Michael O'Shea
Rafael Pardo
Marcy Peek
Eduardo PeƱalver
Neil RIchards
Lori Ringhand
Alice Ristroph
Paul Secunda
Jessica Silbey
Peter Smith
Charles Sullivan
Rick Swedloff
Steph Tai
Robert Tsai
Steve Vladeck
Sarah Waldeck
Melissa Waters
Alfred Yen
David Zaring
Timothy Zick
Jonathan Zittrain

Blogroll

Above the Law
ACS Blog
Althouse
Balkinization
Becker-Posner Blog
Beltway Blogroll
BlackProf
BoingBoing
Chicago Law Faculty Blog
Conglomerate
Convictions
CrimLaw
Crime & Federalism
CrimProf Blog
Crooked Timber
Discourse.net
Dorf on Law
Election Law
Emergent Chaos
Feminist Law Profs
43(B)log
Freakonomics Blog
Freedom to Tinker
Google Blogoscoped
How Appealing
Ideoblog
Info/Law
Instapundit.com
JD2B.com
Juris Novus
Jurisdynamics
Law and Letters
Legal Profession Blog
Legal Theory Blog
Legal Times Blog
Leiter Reports
Brian Leiter's Law School Reports
Lessig Blog
Madisonian
Mirror of Justice
National Security Advisors
Opinio Juris
Point of Law
Political Theory Daily Review
PrawfsBlawg
ProfessorBainbridge.com
Property Prof
Red Tape Chronicles
The Right Coast
Schneier on Security
SCOTUSBlog
Security Dilemmas
Sentencing Law and Policy
Simple Justice
Sivacracy.net
The Situationist
Susan Crawford
TalkLeft
Talking Points Memo
TaxProf Blog
Tech & Marketing Law
Truth on the Market
Volokh Conspiracy
WorkPlace Prof Blog
WSJ Law Blog
Wonkette
The Yin Blog

Pajamas Media BlogRoll Member