Protecting Research Participant Privacy

March 13, 2019

Professor Stacey Tovino placed her latest article, “Going Rogue: Mobile Research Applications and the Right to Privacy,” in the Notre Dame Law Review. Building on Professor Tovino’s past works in patient privacy and health information confidentiality, “Going Rogue” examines the privacy and security implications of mobile application-mediated health research conducted by independent scientists, citizen scientists, and patient researchers. As background, prior scholars who have examined the privacy and security implications of health-related big data have suggested new federal laws or amendments to existing federal laws in an attempt to create comprehensive privacy and security protections for otherwise unprotected data. It is not clear, however, that the federal government has the capacity to enforce expanded or new laws in this area. For example, a recent study published by Professor Tovino in the Iowa Law Review shows that a consumer complaint involving a violation of the HIPAA Privacy, Security, and/or Breach Notification Rules has a one-tenth of one percent (.1%) chance of triggering a government-imposed settlement or civil money penalty.

“Going Rogue” furthers this line of research by assessing whether state law might serve as a viable source of privacy and security protections for big data subjects, including mobile health research participants. Finding that all fifty-one jurisdictions have at least one potentially applicable breach notification law, thirty-six jurisdictions have at least one potentially applicable data security law, and fourteen jurisdictions have at least one potentially applicable data privacy law, “Going Rogue” proposes textual amendments to these laws that, if adopted, would create cross-industry privacy and security protections designed to keep pace with big data.