Complying with the HIPAA Privacy Rule:
Problems and Perspectives
Stacey A. Tovino, J.D., Ph.D.*
Twenty years ago, President Clinton signed the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) into law. 1 Over the past
two decades, the federal Department of Health and Human Services (HHS)
has published several sets of rules2 implementing the Administrative
Simplification provisions within HIPAA3 as well as the Health Information
Technology for Economic and Clinical (HITECH) Act within the American
Recovery and Reinvestment Act (ARRA). 4 These rules include a final rule
governing the use and disclosure of protected health information by covered
entities and their business associates (Privacy Rule). 5
This Article addresses the question of what it means for covered entities
and business associates to comply with the Privacy Rule. In particular, this
Article will examine the challenges covered entities and business associates
face in attempting to comply with the Privacy Rule while delivering and
supporting the delivery of health care in an administratively responsible and
financially feasible manner.
*Lehman Professor of Law and Director, Health Law Program, William S. Boyd School of
Law, University of Nevada, Las Vegas. I thank Daniel Hamilton, Dean, William S. Boyd
School of Law, for his generous financial support of this research project. I also thank Jeanne
Price (Associate Dean for Academic Affairs and Director, Wiener-Rogers Law Library) and
Andrew Martineau (Research Librarian, Wiener-Rogers Law Library) for locating many of
the sources referenced herein.
1. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110
Stat. 1936 (codified as amended in various sections of 18 U.S. C., 26 U.S. C., 29 U.S. C., and
42 U.S. C.) [hereinafter HIPAA].
2. See infra notes 19–34 (referencing several sets of proposed, interim final, and final
3. HIPAA, supra note 1, at Title II, Subtitle F, §§ 261–264 [hereinafter Administrative
4. See American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat.
115, §§ 13001–13424 (Feb. 17, 2009) [hereinafter ARRA] (containing the Health Information
Technology for Economic and Clinical Health (HITECH) Act).
5. Privacy of Individually Identifiable Information, 45 C.F.R. Part 164, Subpart E,
codified at 45 C.F.R. §§ 164.500–164.534 (2016) [hereinafter Privacy Rule].