marketing company to allow the company to market its products and services
to the individual. 68
With this background regarding the Privacy Rule’s theory and approach
to health information confidentiality, Part III of this Article will examine
three challenges associated with Privacy Rule compliance.
III. PROBLEMS AND PERSPECTIVES
A. Some Privacy Rule Provisions Are Too Complex to be
A principal problem with the Privacy Rule is its complexity, especially
with respect to the regulatory provisions governing ( 1) disclosures of PHI
from one covered entity to another covered entity for the recipient covered
entity’s health care operations activities; 69 ( 2) uses and disclosures of PHI for
marketing; 70 and ( 3) uses and disclosures of PHI for public benefit
activities. 71 One result is that covered entities frequently hire outside counsel
to write HIPAA-compliant policies and procedures, especially with respect
to the more complex Privacy Rule provisions identified above. I served as
outside counsel to many of the covered entities located in Houston’s Texas
Medical Center from the mid-1990s through the mid-2000s, and I drafted for
those covered entities many of the policies and procedures required by the
Privacy Rule. 72 To make the policies and procedures HIPAA-compliant, 73 I
had to include references to the Privacy Rule’s complex provisions.
Regardless of the number of times that I explained the provisions to my
clients and regardless of the number of live trainings that I provided to my
clients’ administrators, medical staff members, nursing staff members, and
other workforce members, the provisions were simply too difficult to be
operationalized. Thus, my clients were able to demonstrate what I call
“paper,” but not true, compliance with the Privacy Rule. Allow me to provide
a few examples of this problem.
68. See 2000 Final Rule, supra note 21, at 82,514 (“[ C]overed entities must obtain the
individual’s authorization before using or disclosing protected health information for
69. 45 C.F.R. § 164.506(c)( 4) (2016).
70. See id. § 164.501 (defining marketing); id. § 164.508(a)( 3) (regulating the use and
disclosure of PHI for marketing).
71. See id. § 164.512(a)-(l).
72. See id. § 164.530( i)( 1) (“ A covered entity must implement policies and procedures
with respect to protected health information that are designed to comply with the standards,
implementation specifications, or other requirements of [the Privacy Rule]. The policies and
procedures must be reasonably designed, taking into account the size and the type of activities
that relate to protected health information undertaken by a covered entity, to ensure such
73. See id.