In Sickness, Health, and Cyberspace: Protecting the Security of Electronic Private Health Information

Abstract

The electronic processing of health information provides considerable benefits to patients and health care providers while at the same time creating serious risks to the confidentiality, integrity, and availability of the data. The Internet provides a conduit for rapid and uncontrolled dispersion and trafficking of illicitly obtained private health information, with far-reaching consequences to unsuspecting victims. To address such threats to electronic private health information, the U.S. Department of Health and Human Services enacted the Health Insurance Portability and Accountability Act Security Rule, which thus far has received little attention in legal literature. This Article presents a critique of the Security Rule. It argues that the Rule suffers from several defects relating to its narrow definition of "covered entities," the limited scope of information it allows data subjects to obtain about their health information, the vagueness and incompleteness of the Rule's standards and implementation specifications, and the lack of a private cause of action. This Article explores the difficult problem of crafting static regulations to adequately address rapidly changing computer and communications technologies and associated security threats to private health information. In addition, it develops detailed recommendations for improving safeguards for electronically processed health records.