violate the Privacy Rule.27
Since ARRA’s enactment, HHS has issued several sets of proposed rules,
interim final rules, final rules, and technical corrections both implementing
HITECH’s required changes to the Privacy Rule as well as responding to
other national health information confidentiality concerns. On August 24,
2009, for example, HHS released an interim final rule implementing
HITECH’s new breach notification requirements. 28 On October 30, 2009,
HHS released an interim final rule implementing HITECH’s strengthened
enforcement provisions, including strengthened civil monetary penalties that
the federal Office for Civil Rights (OCR) may, for the first time since the
enactment of the HIPAA statute, impose directly on BAs who fail to maintain
the confidentiality of PHI. 29 On May 31, 2011, HHS released a proposed rule
that would modify the HIPAA Privacy Rule’s accounting of disclosures
requirement. 30 On January 25, 2013, HHS released a final rule modifying the
HIPAA Privacy, Security, Breach Notification, and Enforcement Rules in
accordance with HITECH (Final Regulations). 31 On June 7, 2013, HHS
released technical corrections to the Final Regulations. 32 On September 16,
2013, HHS released a Model Notice of Privacy Practices designed to assist
covered entities in complying with the Final Regulations. 33 On February 6,
2014, HHS released a final rule modifying the Privacy Rule to provide
individuals with a right to receive their laboratory test results directly from
their testing laboratories. 34 Most recently, on January 6, 2016, HHS released
27. HITECH, supra note 4. Elsewhere, I critiqued HITECH’s imposition of
confidentiality requirements directly on BAs and proposed statutory and regulatory changes
to HITECH and the HIPAA Privacy Rule, respectively, that would except a class of BAs,
including outside counsel, from the confidentiality obligations imposed on other BAs. See
Stacey A. Tovino, Gone Too Far: Federal Regulation of Health Care Attorneys, 91 OR. L.
REV. 813, 813-867 (2013). Elsewhere, I also critiqued HITECH’s loosening of the regulatory
provision that governs covered entities’ uses and disclosures of protected health information
for fundraising purposes. See Stacey A. Tovino, Silence Is Golden . . . Except in Health Care
Philanthropy, 48 U. RICH. L. REV. 1157 (2014). This Article builds on my earlier works by
demonstrating the difficulty many covered entities and business associates have with Privacy
28. Breach Notification for Unsecured Protected Health Information, Interim Final Rule,
74 Fed. Reg. 42,740 (Aug. 24, 2009).
29. HIPAA Administrative Simplification: Enforcement, Interim Final Rule, 74 Fed.
Reg. 56,123 (Oct. 30, 2009).
30. Accounting of Disclosures under the Health Information Technology for Economic
and Clinical Health Act, Proposed Rule, 76 Fed. Reg. 31,426 (May 31, 2011).
31. See Final Regulations, supra note 25.
32. See Technical Corrections to the HIPAA Privacy, Security, and Enforcement Rules,
Final Rule, 78 Fed. Reg. 32466, 32466 (June 7, 2013) [hereinafter Technical Corrections II].
33. Model Notices of Privacy Practices, HHS.GOV http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/ (last visited Aug. 11, 2016)
[hereinafter Model Notice].
34. CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports; Final