Stacey Tovino - Enforcing Rights to Patient Privacy

Almost fifteen years have passed since the federal government’s important protections for patient privacy took effect. Yet hospitals, insurers, pharmacies, and doctors’ offices continue to disregard their legal (and ethical) obligations of patient confidentiality, thereby jeopardizing their patients’ interests. Drawing on a number of recent pro bono projects involving violations of patient privacy, Professor Stacey Tovino's recent scholarship analyzes whether patients who are injured really have legally enforceable rights to privacy.

On December 28, 2017, the U.S. Department of Health and Human Services (HHS) settled its fiftieth case involving violations of the privacy, security, and breach notification rules that implement the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). In her recent work, Professor Tovino examines these settlement agreements as well as other civil money penalty cases and state attorney general enforcement actions. 

Finding that more than 93% of all federal and state enforcement actions involve large populations of patients or insureds, Professor Tovino shows how individuals whose privacy rights are violated have few remedies under federal and state law. Professor Tovino also shows how federal and state administrative agencies take a minimum of two years and, in some cases, more than seven years to investigate and resolve cases involving HIPAA Privacy violations, suggesting that both populations and individuals do not have timely rights to privacy.

Professor Tovino's recent work justifies and proposes new federal regulations that will improve the ability of individuals to enforce their rights under the HIPAA Privacy Rule. More broadly, her work also draws attention to the inability of federal and state agencies to enforce the large number of patient privacy, security, and breach notification regulations that have been adopted.