One of the biggest sore spots in HIPAA compliance has been providing individuals with their right to access their medical records. In addition to the countless anecdotal accounts about the painful process of getting medical records, a recent study demonstrated just how far there is to go for providers to be in compliance. More than half of medical providers included in the recent medRxiv study did not meet the basic requirements in HIPAA for providing medical records. A further 20% of the providers would not provide records until requests were escalated to supervisors. Which means that more than 70% of the subjects studied would not have been in compliance had the supervisors not been involved.
HIPAA provides that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.” 45 CFR §164.524
Privacy by design — or “Data Protection by Design” as it is referred to in the General Data Protection Regulation (GDPR) — is essential to meaningful privacy protection. Yet, it is often quite thin and incomplete. As I wrote a few years ago about privacy by design, “The ‘privacy’ the designers have in mind might be so focused on one particular dimension of privacy that it might overlook many other dimensions.”
On Wednesday, the U.S. Court of Appeals for the 11th Circuit issued its long-awaited decision in LabMD’s challenge to an FTC enforcement action: LabMD, Inc. v. Federal Trade Commission (11th Cir. June 6, 2018). While there is some concern that the opinion will undermine the FTC’s power to enforce Section 5 for privacy and security issues, the opinion actually is quite narrow and is far from crippling.
While the LabMD opinion likely does have important implications for how the FTC will go about enforcing reasonable data security requirements, we think the opinion still allows the FTC to continue to build upon a coherent body of privacy and security complaints in an incremental way similar to how the common law develops. See Solove and Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014).