24 Journal of Regulatory Compliance Vol. I
This Article proceeds as follows. Part I summarizes the history of the
Privacy Rule, including the many proposed rules, interim final rules, final
rules, guidance documents, and resolution agreements published by HHS. 6
Part II reviews the Privacy Rule’s theory of and approach to health
information confidentiality. 7 Part III identifies three themes relating to
Privacy Rule compliance. 8
First, some Privacy Rule provisions are simply too complex to be
operationalized. 9 Covered entities and business associates with the financial
means to do so can hire outside counsel to draft sophisticated policies and
procedures and conduct HIPAA-compliant training sessions for workforce
members, but many regulated actors are unable to fully operationalize all of
the Privacy Rule’s requirements due to the Rule’s complexity and the costs
associated with compliance. 10
Second, some covered entities continue to value revenue generation over
Privacy Rule compliance. 11 Financially struggling non-profit hospitals and
other health industry participants can generate revenue by selling protected
healthcare information (PHI) to marketing companies, using and disclosing
PHI for fundraising activities, and entering into side businesses, including
reality television show production. 12 The Privacy Rule prohibits most of these
information uses and disclosures unless the covered entity obtains prior
written authorization from the individuals who are the subject of the
information being used and disclosed. However, research reveals that some
covered entities do not obtain authorization before engaging in these lucrative
Third, mobile technology and portable records continue to challenge
privacy rule compliance. 13 Although laptop computers, tablets, thumb drives,
and smart phones are necessary for the modern practice of medicine, these
technologies can increase the risk of health information confidentiality
breaches if not used carefully. Research reveals several cases in which
employees and independent contractors of covered entities have negligently
failed to secure such technology, resulting in significant health information
6. See infra Part I.
7. See infra Part II.
8. See infra Part III.
9. See infra Part III( A).
10. See id.
11. See infra Part III( B).
12. See id.
13. See infra Part III( C).