104 Iowa L. Rev. 1361 (2019)
On December 28, 2017, the federal Department of Health and Human Services (“HHS”) settled its fiftieth case involving potential violations of the privacy, security, and breach notification rules (“Rules”) that implement the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). This Article catalogues and examines currently available enforcement actions involving the HIPAA and HITECH Rules, including the cases in which HHS has entered into a settlement agreement with a HIPAA covered entity or business associate, the cases in which HHS has imposed a civil money penalty on a HIPAA covered entity, and the cases in which a state attorney general has entered into a settlement agreement or consent judgment with a HIPAA covered entity or business associate.
This Article finds that HHS and state attorneys general focus their settlement and penalty efforts on cases involving groups of patients and insureds, leaving individuals whose privacy and security rights have been violated out of the enforcement spotlight. This Article also shows that the execution of settlement agreements and the imposition of civil money penalties takes a considerable amount of time—more than seven years in some cases—resulting in a lack of timely attention to the privacy and security rights of both groups and individuals. Finally, this Article reveals that the corrective action required by HHS in cases that do not reach the settlement or penalty phase, when that information is made publicly available, tends to be prospective in nature. Although prospective action helps safeguard future rights, it does little to remedy past harms. Arguing that HITECH’s improved enforcement provisions do little to support individual rights to privacy and security, this Article proposes three new federal regulations. If adopted by HHS, these regulations will improve the ability of individuals to enforce their rights under the HIPAA Rules and reduce the time frame within which enforcement takes place.