Academic journal article Vanderbilt Law Review

Toothless HIPAA: Searching for a Private Right of Action to Remedy Privacy Rule Violations

Academic journal article Vanderbilt Law Review

Toothless HIPAA: Searching for a Private Right of Action to Remedy Privacy Rule Violations

Article excerpt


"All that may come to my knowledge in the exercise of my profession ... which ought not to be spread abroad, I will keep secret and will never reveal. "

-Hippocratic Oath.1

A Midwestern banker, who also served as a member of his county's health board, cross-referenced a health board's list of patients suffering from various diseases with a list of the bank's customers. He then called due the mortgages of anyone suffering from cancer.2 In Oregon, computer disks containing the medical records of 365,000 patients were stolen from a car. Along with personal medical information, the records also contained the patients' names, addresses, and Social security numbers.3 A Maryland school board member's medical records, revealing that he had been treated for depression, were sent to school officials along with an anonymous note that read, "Is this the kind of person we want on the School Board?"4

These are just a few of the many recent incidents confirming that breaches of medical privacy occur on a disturbingly regular basis.5 The nature of the information contained in medical records and the potentially devastating results of improper disclosures make medical privacy violations abhorrent. Medical records contain highly sensitive information, including intimate details about the patient's illnesses, sexually transmitted diseases, genetic abnormalities, drug and alcohol addictions, and mental or psychological disorders.6 These records also often include information about the patient's financial status, social behaviors, and personal relationships,7 as well as identifying information like Social security numbers.8 Improper disclosure of such sensitive information may subject patients to social isolation, discrimination by employers, or denial of insurance coverage.9

The Health Insurance Portability and Accountability Act ("HIPAA"), adopted by Congress in 1996, aims to protect the security and privacy of health information.10 The regulations promulgated pursuant to this Act apply to "covered entities," which include (1) health plans, such as health insurance companies, HMOs, Medicare, and Medicaid; (2) health care clearinghouses, such as billing companies and third party administrators; and (3) health care providers, such as hospitals and doctors.11 These regulations protect patient privacy by restricting disclosure of health information to the "minimum necessary," while also preventing unauthorized use by "downstream users."12

While HIPAA imposes a host of obligations on covered entities in an attempt to increase patient privacy, it does not explicitly create any individual rights for patients affected by medical privacy violations. Therefore, a patient who has been seriously harmed as a result of these privacy leaks cannot bring a lawsuit against the responsible party. Instead, a victim's only recourse is to file a complaint with the Department of Health and Human Services ("HHS").13 If HHS decides to pursue a victim's complaint, it may impose fines against the responsible covered entity.14 However, since HIPAA's enactment, HHS has rarely imposed fines or criminal sanctions.15 Regardless of any enforcement action taken by HHS, the victim will not be compensated for the harm caused by this breach of privacy.

Lack of medical record protection does not just harm those whose privacy is violated; it can have negative effects on the entire healthcare system. Although a majority of Americans are concerned about their medical privacy, many do not understand their rights under HIPAA.16 As a result, individuals do not have faith in the health care system's ability to protect their medical privacy. Despite the protections provided by HIPAA's Privacy Rule, this mistrust leads one in eight patients to engage in "privacy protective behaviors,"17 such as providing inaccurate information to doctors or avoiding treatment altogether.18 Lack of full participation in the health care system not only puts these mistrusting individuals at a significant health risk;19 it also can be detrimental to the health care system and society as a whole. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.