Compliance Law Journal

marketing company to allow the company to market its products and services to the individual. 68

With this background regarding the Privacy Rule’s theory and approach to health information confidentiality, Part III of this Article will examine three challenges associated with Privacy Rule compliance.

III. PROBLEMS AND PERSPECTIVES

A. Some Privacy Rule Provisions Are Too Complex to be
Operationalized

A principal problem with the Privacy Rule is its complexity, especially with respect to the regulatory provisions governing ( 1) disclosures of PHI from one covered entity to another covered entity for the recipient covered entity’s health care operations activities; 69 ( 2) uses and disclosures of PHI for marketing; 70 and ( 3) uses and disclosures of PHI for public benefit activities. 71 One result is that covered entities frequently hire outside counsel to write HIPAA-compliant policies and procedures, especially with respect to the more complex Privacy Rule provisions identified above. I served as outside counsel to many of the covered entities located in Houston’s Texas Medical Center from the mid-1990s through the mid-2000s, and I drafted for those covered entities many of the policies and procedures required by the Privacy Rule. 72 To make the policies and procedures HIPAA-compliant, 73 I had to include references to the Privacy Rule’s complex provisions. Regardless of the number of times that I explained the provisions to my clients and regardless of the number of live trainings that I provided to my clients’ administrators, medical staff members, nursing staff members, and other workforce members, the provisions were simply too difficult to be operationalized. Thus, my clients were able to demonstrate what I call “paper,” but not true, compliance with the Privacy Rule. Allow me to provide a few examples of this problem.

68. See 2000 Final Rule, supra note 21, at 82,514 (“[ C]overed entities must obtain the individual’s authorization before using or disclosing protected health information for marketing purposes.”).

69. 45 C.F.R. § 164.506(c)( 4) (2016).

70. See id. § 164.501 (defining marketing); id. § 164.508(a)( 3) (regulating the use and disclosure of PHI for marketing).

71. See id. § 164.512(a)-(l).

72. See id. § 164.530( i)( 1) (“ A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of [the Privacy Rule]. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance.”).