Medical Information Privacy:

A Study Report to the Michigan Law Revision Commission


            In 2000, the Michigan Law Revision Commission retained the services of Elizabeth Price Foley, Professor of Law, Michigan State University-Detroit College of Law (now at Florida International University College of Law), and Vence L. Bonham, Jr., Associate Professor, Department of Medicine, College of Human Medicine, regarding federal and Michigan laws addressing the privacy of medical information.  This study was prompted in part by congressional passage of the Health Insurance Portability and Accountability Act (commonly referred to as “HIPPA”) and the promulgation in 2002 of implementing regulations by the U.S. Department of Health and Human Services.  A preliminary study report was submitted in 2001.  The final study report follows.


            One of the primary purposes of a study report — including the following study report — is to spark discussion and generate comments from interested groups within the state.  The views and opinions expressed in the following study report are exclusively those of the authors and not those of the Commission or of any individual member of the Commission.  The Commission wishes to make it clear that it takes no position on the recommendations and suggestions contained in the final study report.


            The Commission also wishes to make it clear that it has not made any recommendations to the Legislature, nor will it make any such recommendations until all interested persons have had an adequate opportunity to comment on Professor Foley’s and Professor Bonham’s final study report.


            Written comments may be submitted to the Professor Kevin Kennedy, the Commission’s Executive Secretary.  Comments are welcome through the end of 2003.









Final Report to









Elizabeth Price Foley, J.D., LL.M.

Professor of Law

Florida International University College of Law




Vence L. Bonham, Jr., J.D.

Associate Professor, Department of Medicine,

College of Human Medicine

Michigan State University




















Table of Contents



I.  Introduction..................................................................................................................... 3


II.  Background on HIPAA.................................................................................................. 3


                  A.  HIPAA’s Scope.............................................................................................. 4

                  B.  HIPAA Enforcement........................................................................................ 6

                  C.  HIPAA Preemption......................................................................................... 6

                  D.  August 2002 Final Regulations......................................................................... 8

   (1) Consent......................................................................................... 8

   (2) Marketing...................................................................................... 9



III.  HIPAA Gaps Identified in Preliminary Report........................................................... 13


A.  Electronic Data/Internet Issues......................................................................... 13

                  (1)  Michigan Law............................................................................... 15

                  (2)  HIPAA......................................................................................... 15

                  (3)  Potential Michigan Strategies......................................................... 15

B.  Sensitive Medical Information........................................................................... 17

                  (1)  Michigan Law............................................................................... 18

                  (2)  HIPAA......................................................................................... 18

                  (3)  Potential Michigan Strategies......................................................... 19

C.  Business Associates......................................................................................... 19

                  (1)  HIPAA......................................................................................... 20

                  (2)  Potential Michigan Strategies......................................................... 20

D.  The “Enforcement Gap”:  Creating State Enforcement Authority and/or Private Rights of Action 21

(1)  Enforcement Via Common Law..................................................... 21

      (a)  Invasion of Privacy ................................................................. 22

                                          (b)  Medical Malpractice (Breach of Duty of Confidentiality).......... 23

(2)  Enforcement Via Specific Statutes................................................. 24

      (a)  Pre-HIPAA Private Right of Action Statutes............................ 24

      (b)  Post-HIPAA Enforcement Statutes: 

      The Texas Approach..................................................................... 25


IV.  Conclusion..................................................................................................................... 27







I.                   Introduction


In the summer of 2000, the Michigan Law Revision Commission (MLRC) commissioned research regarding federal and Michigan laws addressing the privacy of medical information.  This report presents the final findings of that research project.


A preliminary report was issued to the Commission in the spring of 2001.  The preliminary report surveyed Michigan and federal medical privacy laws, including a detailed discussion of final regulations implementing the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA).[1]


Since the preliminary report was issued, important changes have taken place.  Most notably, on August 14, 2002, the Bush Administration issued final regulations[2] that significantly modified the original set of final regulations issued by the Clinton Administration on December 28, 2000.  The Bush Administration’s revisions to the HIPAA privacy rules primarily affected two provisions, both of which will be discussed in this final report: (1) patient consent; and (2) marketing.  These new final regulations became effective on October 15, 2002,[3] although covered entities will not be required to comply with any of the HIPAA privacy rules until April 14, 2003 (one year later-April 14, 2004 – for small health plans).[4]


It is important to note that this report (unlike the preliminary report) is relatively narrow in its focus.  It does not purport to re-summarize the ninety-one pages of new final regulations issued by the Bush Administration.  Rather, the purpose of this final report is to summarize for the Commission the most significant changes contained in the new Bush Administration regulations and proceed to focus on the five specific areas identified by the Commission after receipt of the preliminary report as warranting further exploration: (1) medical privacy on the internet; (2) sensitive medical information; (3) marketing; (4) business associates; and (5) a private right of action.


II.  Background on HIPAA


An individual’s medical information is contained in numerous forms, including paper records and charts, electronic databases, and even oral information.  Medical information is possessed by a dizzying array of health care providers, institutions, and business entities, including physicians, hospitals, nursing facilities, pharmacies, insurers, employers, governmental agencies, third party administrators, and marketing firms.  Given the broad array of personal medical information that exists and its potentially wide dissemination (particularly in the computer age), Americans have begun to express concerns about protecting the privacy of personal medical information.


In an attempt to address public concern about the privacy of medical information, most states, including Michigan, have enacted numerous scattered, uncoordinated laws providing varying degrees of access to, and privacy protection for, medical information possessed by health care providers or institutions.  Because these state laws are so varied and incomplete, Congress, as part of the Health Insurance Portability and Accountability Act of 1996 (HIPPA) imposed upon itself a three-year deadline for developing federal health privacy protections.[5] Recognizing that congressional agreement on health privacy protections may not be feasible, HIPAA mandated that, if Congress could not reach agreement within the three-year time period, the task would be delegated to the Secretary of the U.S. Department of Health and Human Services (HHS).[6]  Congress did not, in fact, meet its self-imposed deadline for developing federal health privacy protections and the task thus fell to HHS, which promulgated final regulations on December 28, 2000.[7]  Following the election of President Bush, pressure from various interested parties resulted in the issuance by HHS of proposed modifications to the Clinton Administration’s final regulations.[8]  On August 14, 2002, the new set of final regulations was published in the Federal Register.[9]


A.  HIPAA’s Scope


HIPAA’s privacy regulations are limited to three types of entities:


(1)   health plans (e.g., managed care organizations and traditional insurers);[10]


(2)   health care “clearinghouses” (i.e., entities that process health claims information for providers and insurers);[11] and

(3)   health care providers[12] (e.g., physicians, hospitals, pharmacists) who transmit any health information in standard electronic format.[13]


It is only if a provider or entity falls within one of these three categories that the provider or entity will be considered a “covered entity” subject to HIPAA privacy regulations.[14]  Thus, while health plans and clearinghouses are always considered covered entities (and hence, subject to the HIPAA privacy regulations), health care providers are covered entities only if they transmit health information in standard electronic format.  This requirement is expected to encompass most health care providers, since most providers accept payments from insurers or managed care plans which generally require that providers transmit health information in electronic format (e.g., internet, e-mail, fax, phone, etc.). Moreover, another portion of HIPAA, the Electronic Data Interchange (EDI) standards, establishes a uniform standard for all electronic data interchange of health information by covered entities and requires that, by October 16, 2003, all claims for reimbursement by Medicare submitted by providers must be submitted electronically pursuant to the uniform standard.[15]  With a few narrow exceptions, paper claims to Medicare will no longer be accepted.[16]


B.  HIPAA Enforcement


Any person who believes that a covered entity is not complying with the HIPAA privacy regulation may file a complaint with the Secretary of HHS within 180 days of when the individual knew or should have known that the violation occurred.[17]  The Secretary may, but is not required to, investigate such complaints.[18] If the Secretary opts to investigate and determines that non-compliance has occurred, the Secretary must notify the covered entity “and attempt to resolve the matter by informal means whenever possible.”[19] If the Secretary determines that the matter cannot be resolved informally, the Secretary may, but is not required to, issue written findings (to both the covered entity and the complainant) documenting the non-compliance.[20]


The HIPAA statute established a general penalty for failure to comply with the requirements and standards of the Act.  Specifically, the statute states that the Secretary of HHS “shall” impose upon any person who violates the Act a penalty of not more than $100 for each violation, up to a maximum of $25,000 per calendar year for all violations of an identical requirement or prohibition.[21]  In addition, the Act specifically addresses “wrongful disclosure of individually identifiable health information” and provides that a person who knowingly obtains or disclose individually identifiable health information in a manner prohibited by the Act “shall” be punished by a fine of not more than $50,000 and/or imprisonment for now more than one year.[22]  If the violation is committed under false pretenses, the punishment escalates to a fine of not more than $100,000 and/or imprisonment for not more than 5 years.[23]  If the violation is committed “with an intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm,” the punishment again escalates to a fine of not more than $250,000 and/or imprisonment of not more than 10 years.[24]


Neither the HIPAA statute nor regulations permits a private right of action for violations of the privacy provisions.


C.  HIPAA Preemption


While the HIPPA privacy regulations have provided new federal protections for the privacy of medical information, they are considered to be a minimum, or floor, of protection.  State laws contrary to and less protective than HIPAA’s protection are preempted; state laws that are “more stringent” than the HIPAA protections are not preempted,[25] even if they are contrary to HIPAA.[26]  Three categories of state laws are explicitly not preempted by HIPAA (even if they are less stringent that the protection afforded under HIPAA): (1) state laws that authorize or prohibit disclosure of protected health information about minors to parents, guardians, or persons acting in loco parentis (i.e., parental notification laws);[27] (2) state laws that provide for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health investigations;[28] and (3) state laws that require health plans to report or grant access to information for the purpose of audits, evaluation, or licensure, or certification of facilities or individuals.[29]


A state (acting through its chief elected official or his/her designee) or others may request, in writing, that the Secretary except a state law from preemption.[30] The Secretary may except a state law from preemption of the Secretary finds one of the following: (1) that the state law is necessary to prevent health care fraud and abuse; (2) that the state law is necessary to ensure appropriate state regulation of insurance and health plans; (3) that the state law is necessary for state reporting on health care delivery or costs; (4) that the state law is necessary for purpose of serving a compelling need related to public health, safety, or welfare, and, if a privacy standard is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or (5) that the state law has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances.[31]


D.  August 2002 Final Regulations


(1)   Consent


The recent regulations issued by the Bush Administration in August 2002 significantly altered the earlier Clinton Administration final regulations regarding the issue of patient consent.  Specifically, the final regulations issued by the Clinton Administration stated that any health care provider with a direct treatment relationship with a patient was required to obtain the patient’s written consent in order to use or disclose protected health information for the purpose of treatment, payment, or health care operations.[32]  This written consent had to be signed and dated by the patient,[33] and the patient had the right to revoke consent (in writing) at any time.[34] The Clinton Administration final regulations permitted health care providers to condition treatment or enrollment on obtaining the patient’s written consent.[35]


The August 2002 regulations issued by the Bush Administration deleted the consent requirement.  Although covered entities may--if they so choose--obtain patient consent prior to using or disclosing protected health information for treatment, payment or health care operation, they are no longer required to obtain consent prior to such use or disclosure to third parties.[36] Instead of requiring written patient consent prior to such use/disclosure, the revised rules require only that covered entities send a written copy of their privacy practices to their patients.[37]  This written notice may be sent by mail or email and is not required to be contained in a separate and distinct mailing (i.e., the notice may be combined with other materials).[38]  Providers are required to make a good faith effort to obtain a written acknowledgement of the patient’s receipt of this notice.[39] If the patient’s written acknowledgement is not obtained by the provider, the provider will not be in violation of the privacy rules so long as the provider can document its good faith effort to obtain the patient’s written acknowledgement.[40]


Because the August 2002 regulations have eliminated the requirement of patient consent, covered entities are now free to use or disclose personally identifiable health information for treatment, payment, and health care operations, subject only to the requirement that they notify their patients of their privacy practices every three years.  This significant modification thus creates a new gap in HIPAA that states such as Michigan may want to fill.  Specifically, Michigan may want to enact a statute that would re-institute the original final regulations’ requirement of patient consent prior to use/disclosure of health information for treatment, payment or health care operations.  Montana, for example, has enacted a statute that requires written patient authorization before a health care provider (or his/her agent/employee) may disclose a patient’s health information for most purposes.[41] 


(2)   Marketing


The Clinton Administration’s final regulations permitted covered entities to

disclose protected health information for marketing purposes, so long as the covered entity obtained written consent from the patient.[42]  Moreover, the patient was given a right to “opt out” of any future marketing activities of the covered entity.[43]  As pointed out in the preliminary report to the Commission, this initial final regulation was criticized by privacy advocates as essentially giving covered entities “one free pass” to use/disclose protected health information for marketing or fundraising purposes.  The preliminary report suggested that Michigan may want to consider enacting legislation to prohibit covered entities from using/disclosing protected health information to engage in any marketing or fundraising unless the patient has provided specific authorization for such use.

            The Bush Administration’s final regulations now require that covered entities obtain specific authorization before they may send marketing materials to individuals.[44]  While this modification seems, at first blush, to provide greater privacy protections for consumers than those contained in the Clinton Administration’s final regulations, this not the case.[45]  By creating several new exceptions to the definition of “marketing,” the Bush Administration’s final regulations have narrowed the term significantly, with the result that many communications previously considered marketing no longer are.  The new final regulation’s definition of marketing is complex, but it essentially defines marketing as one of two types of communications:  (1) those flowing from a third party directly to patients as the result of the covered entity selling its patient lists to the third party; or (2) those flowing from a covered entity to an individual in which the covered entity has received remuneration for recommending a product or service not related to health.[46]  An example of the former type of marketing communication would be a communication sent to patients taking anti-anxiety drugs from a drug manufacturer as a result of a covered entity (e.g., pharmacy) selling its patient lists directly to the drug manufacturer[47].  An example of the latter would be communications sent to patients taking anti-anxiety medications by a pharmacy (a covered entity) that advertises for relaxing vacations (a product or service not related to health), if the communication is paid for by a travel agency.  These communications are considered “marketing” under the new final regulations and therefore cannot be made without the individual’s explicit prior authorization. 


            The types of communications that are not considered marketing under the new final regulations (and which therefore may be made without authorization or consent of the patient) are:  (1) communications made by a covered entity to a patient wherein the covered entity is not paid for making the communication; and (2) communications made by a covered entity to a patient wherein the covered entity is paid for recommending a health related product or service.[48]  An example of situation number one (unremunerated communications) would be a pharmacy that sends, on its own initiative and at its own expense, a communication to a patient that recommends that the patient switch medications to avoid a possible adverse drug reaction.  An example of situation number two (remunerated communications recommending health-related products or services) would be a pharmacy that is paid by a drug manufacturer to send refill reminders to patients taking the manufacturer’s drugs.[49]  Another example would be a pharmacy that is paid by a drug manufacturer to identify patients taking a competitor’s drug and send such patients letters encouraging them to switch to the manufacturer’s drug.[50]   Although these communications from the covered entity involve remuneration from a third party, such communications are not “marketing” under the new final regulations because they flow directly from the covered entity rather than the third party.  The Department’s revised final regulations characterize these communications as provider-patient communications, not marketing and they may accordingly be made without prior authorization, notification that the communication is the result of remuneration, or identification of the party providing the remuneration.[51]  Patients do not have the right to “opt out” of these types of health-related communication,[52] even though they are inherently predicated on the use/disclosure of intimate, personally identifiable health information.


These “non-marketing” health-related communications may be made either directly by the covered entity or, more likely, by a business associate of the covered entity.  This means that a covered entity can share protected health information with a telemarketer if the covered entity has a business associate relationship with the telemarketer.[53]  Given the inability of HIPAA to directly regulate business associates,[54] the August 2002 final regulation’s narrowed definition of marketing creates additional opportunities for breaches of patient confidentiality.  Certainly most Americans would be concerned if they understood that telemarketers under contract with a covered entity had access to their health information and would want the telemarketers held to the same standards of confidentiality as the covered entity.  Michigan may wish to consider filling this new gap in HIPAA by enacting legislation to prohibit covered entities from using/disclosing protected health information to engage in any marketing communications (whether health-related or not) unless the patient has provided specific authorization.



III.  HIPAA Gaps Identified in Preliminary Report


A.  Electronic Data/Internet Issues


The electronic collection, storage and transfer of health information has become commonplace.  E-health is touted as the future of health care, promising to transform the way health care entities conduct business and change the way patients relate to their health care providers.[55]  Although e-health holds the promise of providing easier and more efficient dissemination of information (thus reducing health costs for everyone), it also poses a greater risk of invasion of individual privacy, since unauthorized access to electronic records may result in instant and wide dissemination of personally identifiable health information in a way that unauthorized access to paper records would not.  Of all the various places in which e-health information may be found, perhaps the greatest risk to privacy is presented by information collected and stored by health-related websites.


There are thousands of health-related web sites. Individuals can surf the web for any and all types of health information and advice.  More than sixty-five million American internet users have sought health and medical information online, and a significant number of them admit that they use this information to make important medical decisions. [56]  Of those individuals who surf the net for health-related information and advice, personal privacy is their top concern.[57] 


The public’s concern about medical privacy on the internet is warranted.  A 1999 report of the Health Privacy Project of Georgetown University documented that major health web sites lack adequate privacy policies and their practices are often in conflict with their existing privacy statements.[58]  Moreover, many health-related websites require individuals to provide personally identifiable health information, sometimes without the individual’s knowledge.  For example, an individual may participate in a chat room where his/her e-mail address is visible.  Or a website may track users through the use of cookies. Cookies allow a website owner/operator to know when a user has visited their site and know precisely where the user went while visiting the site.  Cookies help the owners/operators of websites create online user profiles of individuals, which, in turn help sites determine what information, products, and services the visitor may find interesting.  They also allow sites to deliver specific content to users based on the individual’s previous online activities. Although cookies are only numbers assigned by a site to each user, personal data can be linked to the number when an individual provides identifiable information to the site (e.g., completing health assessments).  This kind of user profiling is not generally disclosed or explained to visitors of a site.


A recent example of internet privacy lapse involved Eli Lilly Pharmaceutical Company’s website for the drug Prozac.  On, the pharmaceutical company established a message service in which individuals enrolled received messages reminding them to take the company’s anti-depressant drug.  In June 2000, the pharmaceutical company discontinued the program and, in its notice to enrollees of the program’s discontinuance, it disclosed the email addresses of everyone who had signed up for the service.[59]  Upon receiving a request to investigate by the American Civil Liberties Union, a complaint was filed by the Federal Trade Commission, alleging that Lilly’s privacy statement on its website was deceptive because Lilly had failed to maintain or implement measures to protect sensitive consumer information.[60]  According to the FTC’s complaint, Lilly failed to provide appropriate training for its employees regarding consumer privacy and information security; failed to provide appropriate oversight and assistance for the employee who sent out the e-mail; and failed to implement appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pre-testing the program internally before sending out the e-mail.[61]  Lilly’s failure to implement appropriate measures also violated a number of its own written security procedures.[62]  Lilly ultimately agreed to settle the complaint.[63]  Although Lilly’s breach of consumers’ privacy was unintentional, it was a serious breach of those consumers’ trust.  Companies that obtain sensitive information in exchange for a promise to keeps it confidential must take appropriate steps to ensure the security of that information.



            (1)  Michigan Law


Michigan law does not provide any special protections for personally identifiable health information that is transmitted electronically.  


(2)  HIPAA


HIPAA applies to health plans, health care clearinghouses, and health care providers who transmit any health information in an electronic format in connection with a transaction covered by the Act.  Because many health-related websites are not owned or operated by a covered entity, they are not regulated by HIPAA.[64]  Whether or not a health-related web site is covered by HIPAA thus hinges upon who owns or controls the website, a determination that the average consumer is not in a position to make.  Indeed, because of HIPAA’s limited scope, two virtually identical web sites can be regulated differently, one subject to the stringent HIPAA protections, the other subject only to voluntary privacy policies (if any).[65]


            One large category of health-related websites that are often unregulated by HIPAA is websites that are information-based.  Such sites are extremely popular and provide information about general fitness and nutrition or specific diseases, condition, or medications  They may offer a broad range of information (e.g., or or specialize in a certain drug (e.g., or, disease or medical condition (e.g., or ).  Some of these information websites assess health status and ask the user to provide information regarding personal health.  For example, offers free general health assessments as well as disease-specific assessments to determine an individual’s risk for some of the leading causes of death.[66]  These sites collect personally identifiable health information of a potentially sensitive nature that can be used or sold to third parties if the owner/operator of the site does not have an “offline existence” whereby the owner/operator engages in covered activities under HIPAA (e.g., treating patients).  Thus, because such sites merely furnish health information and the owners/operators do not provide “health care” as defined in the federal regulation, they are not subject to HIPAA.  The bottom line is that consumers’ privacy is protected under HIPAA only if they visit a narrow, specific type of website (i.e., one owned/operated by a covered entity such as a health plan or health provider), and consumers will not be able to determine, in most instances, whether the websites they visit are regulated by HIPAA.  More often than not, consumers will visit and use websites not covered by HIPAA. 


            (3)  Potential Michigan Strategies


Michigan may wish to consider enacting a statute to regulate the privacy practices of health-related websites.  Texas, for example, has enacted a comprehensive post-HIPAA medical privacy law that, inter alia, applies the HIPAA privacy rules to any “person who maintains an Internet site.”[67]


States wishing to regulate health-related internet sites face several potential problems.  First, the chances are good that any websites that violate state privacy laws would not be located within the geographic boundaries of the state.  The ability to enforce the law within the state’s own court system would therefore be limited by the concept of personal jurisdiction over non-resident defendants.  If the internet site owner/operator engaged in activity that caused injury within the state, the state may be able to exercise specific personal jurisdiction over the non-resident website owner/operator,[68] provided the owner/operator has the requisite “minimum contacts” [69] with the forum state.


Even assuming that personal jurisdiction within the state’s court system could be satisfied (or that the aggrieved state/citizen would be willing to institute litigation in another forum where minimum contacts could be established), a question would certainly arise as to whether the state privacy law violated the Dormant Commerce Clause.  A neutral state law (i.e., a law that is even-handed in application and not discriminatory against out-of-state interests) may be held to violate the Dormant Commerce Clause if it imposes an undue burden on interstate commerce.[70]  In the face of a facially non-discriminatory law, courts will generally apply a balancing test, considering the non-discriminatory benefits to the state enacting the law and the harms to interstate commerce resulting from the law.  Strong state interests and a minimal burden on interstate commerce, in other words, will result in the state law being upheld.[71]  The Supreme Court has recognized that state laws designed to protect citizens’ privacy are strong and legitimate interests that may warrant some restrictions on the free flow of interstate commerce.[72]  If Michigan wished to adopt a law regulating the privacy practices of health-related internet sites, therefore, strong documentation of the benefits flowing to state residents from such a law would be advised.


As an alternative to enacting a statute regulating all health-related internet sites, the state could opt to enact a narrower statute regulating only those health-related internet sites physically maintained in servers located within the state of Michigan.  Such sites would include, for example, websites of Michigan-based managed care organizations, hospitals, provider groups, and trade associations.  Because such a statute would regulate only those entities located within the physical territory of Michigan, there presumably would be no difficulty obtaining personal jurisdiction for enforcement actions[73] or dormant commerce issues presented.


Another alternative would be to require all health-related internet sites to comply with a specific set of internet private privacy guidelines, such as those developed by the American Medical Association.[74]  Likewise, the state could enact a statute that simply requires health-related internet sites to adopt a privacy policy and recognize an explicit private right of action if the site violates its own privacy policy.[75]  A final alternative would be to statutorily authorize the creation of a statewide advisory board to act as ombudsman on issues regarding health information privacy.  The State of Maryland, for example, has created an advisory board to provide its General Assembly with information and recommendations on emerging issues in the confidentiality of medical records and monitor developments in federal law regarding health information technology, telemedicine, and provider/patient communication.[76]  In addition, the state could ask an advisory board to develop model health privacy practices for voluntary or mandatory use by internet site owner/operators within the state.


B.  Sensitive Medical Information


            Certain types of medical information are undoubtedly more sensitive in nature than others because disclosure could result in stigmatization or discrimination against the patient or the patient’s loved ones.  Medical information arguably falling within this category would include information about HIV/AIDS, pregnancy/abortion, sexually transmitted diseases, or genetic conditions


(1) Michigan Law


Existing Michigan statutes that specifically address sensitive medical information[77] should remain in effect post-HIPAA because they are more stringent than the federal privacy rules and thus not subject to preemption.[78]  The one area in which Michigan has not yet acted, however, relates to genetic information.  Specifically, although Michigan has enacted anti-discrimination statutes relating to genetic information,[79] these statutes do not address or provide privacy protections.  Michigan’s lack of protection for genetic information is likely based, in part, on the 1999 recommendations of the Michigan Commission on Genetic Privacy and Progress, which concluded that it would not recommend special legal protections for the privacy of genetic information.[80]  The Commission’s reticence to recommend special protection for genetic privacy was, however, at least partially due to the fact that the HIPAA privacy regulations had not yet been promulgated, thus making any state initiatives on genetic privacy premature.[81]


Since the HIPAA final regulations are now in effect and do not contain any heightened protection for genetic information, state legislation providing such protection may be warranted at this time.  Additional privacy protection for genetic information may be desirable due to the stigmatization often associated with such information,[82] as well as the potentially broad-ranging adverse psychological and social effects on the individual as well as third parties (e.g., family members).[83] Indeed, the adverse impact on third parties caused by the dissemination of genetic information makes genetic information unique from other types of sensitive health information and thus may necessitate additional protection here where it may not be warranted or necessary elsewhere.


            (2) HIPAA


            The HIPAA privacy regulations establish one category of specially protected health information-- psychotherapy notes—which a covered entity may not disclose without prior specific patient authorization.[84]  Moreover, under HIPAA, a health plan may not condition enrollment in the plan or provision of benefits under the plan upon the individual providing such authorization.[85]  Other sensitive health information that can be stigmatizing is not provided a heightened level of protection.


            (3) Potential Michigan Strategies


            The Michigan legislature may want to consider enacting additional statutes to provide heightened privacy protection for genetic information and/or other health information that has greater sensitivity.  Perhaps the greatest case can be made for special privacy protection for genetic information, as its availability is growing exponentially and its potential for harm to third parties make it unique.


            The amount of genetic information that clinicians will have about their patients will increase substantially in the next several years.  The completion of the mapping of the human genome and the identification of increasing number of markers for predisposition for disease will create new complexities regarding how such information is used and maintained to protect the privacy of the individual and the individual’s family.  Unlike most medical information, genetic information provides information about other relatives that could be inappropriately released and cause harm to third parties.


Recognizing the special problems posed by genetic information, some states, such as California,[86] New York[87] and Missouri[88] have enacted special privacy protections for genetic information that require the use of a specific written authorization for the release of such information and penalties for breach of privacy relating to such information.  Michigan may wish to emulate these states and enact specific privacy protections for genetic information.  Alternatively, Michigan could enact a more comprehensive statute to heighten privacy protection for all types of sensitive medical information.  One efficient approach, for example, would be to enact a statute modeled on HIPAA’s heightened protection for psychotherapy notes and require prior written authorization in order to use or disclose sensitive medical information (which could be defined as broadly or narrowly as the legislature deemed appropriate).



C.  Business Associates


HIPAA does not permit direct regulation of business associates of covered entities.[89]  A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information it receives or creates on behalf of the covered entity.[90]  HIPAA attempts to indirectly regulate these business associates by requiring covered entities to include contractual language with business associates that limit the business associate’s use or disclosure of protected health information to that provided for by the contract or as required by law.[91]  Furthermore, the contract must require that business associates notify the covered entity of any non-permitted use/disclosure of which the business associate becomes aware.[92]   If a business associate breaches these contractual provisions, the covered entity may be held responsible under HIPAA, but only if the covered entity knew of a pattern of activity by the business associate that constituted a material breach of their contractual obligations.[93]  Moreover, even if the covered entity has such knowledge, the covered entity will escape responsibility under HIPAA if it takes reasonable steps to cure or end the business associate’s breach.[94]


            (1) HIPAA


HIPAA’s inability to directly regulate business associates is viewed as a significant shortcoming within the privacy regulations.  Certain business associates of covered entities are in constant possession of individually identifiable health information which, if used or disclosed, could violate the privacy of patients.  For example, third party administrators (TPAs) that process claims for a covered entity, independent medical transcriptionists who work on a contractual basis for a covered physician or entity, or  pharmacy benefit managers (PBMs) that manage a health plan’s pharmacist network—all of these business associates are not directly regulated by HIPAA and thus lack an independent, professional responsibility of confidentiality.  At most, such business associates are merely contractually liable to the covered entity in the event of a breach of patient confidentiality. 


            (2) Potential Michigan Strategies


Michigan may wish to enact its own statute(s) to extend the HIPAA privacy protections to business associates.  Texas, for example, has enacted a comprehensive post-HIPAA medical privacy law that, inter alia, directly regulates business associates by applying the same standards to business associates as HIPAA imposes on covered entities.[95]  Similarly, Michigan could opt to provide greater privacy protections to Michiganians by extending the HIPAA requirements directly to all business associates, or perhaps only to specified types of business associates (e.g., Third Party Administrators).  Enacting such a state law would essentially require the HIPAA privacy rules to “pass through” to business associates in the State of Michigan and impose civil and criminal penalties for business associates who violate those rules.



D.  The “Enforcement Gap”: Creating State Enforcement Authority and/or Private Rights of Action


            The office within HHS that has been charged with enforcing the HIPAA privacy regulations recently admitted that, given its limited resources, the office would need to adopt a triage approach to enforcement, pursuing first those covered entities which have engaged in potentially the most broad-ranging violations.[96]  Given this environment, it is reasonable to expect that many violations of the privacy rules will not be pursued by the Department; thus, there is an important regulatory void that states are well-positioned to fill.  As stated previously, HIPAA’s enforcement scheme does not permit an aggrieved individual (whose right of privacy or of access has been violated) to recover damages or seek injunctive relief.  HIPAA allows only the Secretary of HHS to seek civil and/or criminal penalties against covered entities that violate the privacy regulations.  Moreover, HIPAA does not preempt states from enacting laws that are “more stringent” than the federal rules.


            There are thus two primary approaches that states could take in order to fill the enforcement void and help ensure that the federal privacy protections are more than a paper tiger: (1) enforcement via common law; and (2) enforcement via enactment of specific enforcement statutes permitting the state and/or private citizens to seek civil remedies upon violation.  For reasons discussed below, it is the authors’ belief that the latter approach (enactment of specific enforcement statutes) is preferable.


            (1) Enforcement Via Common Law


            As an initial matter, it should be noted that the existence of the HIPAA privacy rules themselves could be interpreted as creating new common law duties owed to patients by covered entities.[97]  A court embracing this interpretation of the privacy rules could therefore be expected to acknowledge an actionable tort upon the breach of such duties by a covered entity. 


            Even if a court did not believe that HIPAA created new duties under tort law, existing duties defined by tort law could potentially provide a means to enforce the privacy rules, above and beyond any action taken (or not taken) by HHS.  Specifically, existing torts such as invasion of privacy (publication of embarrassing private facts)[98] or breach of fiduciary duty/confidentiality[99] could be used to impose liability upon a covered entity that uses or discloses protected health information in violation of the federal privacy rules.  Each of these existing tort theories, however, poses difficulties for a plaintiff who wants to invoke them to remedy a violation of the HIPAA privacy rules.


                        (a)  Invasion of Privacy


            The tort of invasion of privacy based upon public disclosure of embarrassing private facts, for example, requires that the plaintiff establish three prima facie elements: (1) the disclosure of information; (2) that is highly offensive to a reasonable person; and (3) that is of no legitimate concern to the public.[100]  Although the Michigan courts have made it clear that a person’s medical treatment or condition is generally considered private information,[101] it would, in certain instances, be difficult to prove that disclosure of a person’s medical information is “highly offensive” or of “no legitimate concern to the public.”


A recent decision by the Michigan Court of Appeals, Doe v. Mills, is illustrative.[102]  In Mills, the plaintiffs sued anti-abortion protesters who learned of the plaintiffs’ intent to obtain abortions and, while protesting outside the clinic, held up large signs with the plaintiffs’ names on them.[103]  The Michigan trial court judge granted summary disposition of plaintiffs’ claim of invasion of privacy based upon publication of private facts,[104] reasoning that publication of the plaintiffs’ intent to obtain an abortion could not be viewed as highly offensive by a reasonable person[105] and that “abortion, no matter how one views this subject, is unquestionably a matter of great public concern

. . . .”[106]

Although the Michigan Court of Appeals ultimately rejected the trial court’s reasoning and reversed in favor of the plaintiff, the trial court’s decision suggests that there will be instances in which uncertainty will exist as to whether disclosure of medical information is sufficiently “offensive” or lacking in “public concern” so as to warrant recovery under the invasion of privacy tort.  This uncertainty, in turn, means that there will be instances in which disclosure of medical information will not be actionable, leaving those patients affected by the disclosure potentially without a civil remedy.


                        (b)  Medical Malpractice (Breach of Duty of Confidentiality)


The Michigan courts have likewise recognized the existence of a viable tort action based on medical malpractice when a licensed health care provider breaches her ethical duty to maintain patient confidentiality.[107]  This common law duty of confidentiality, however, is not absolute and is subject to several defenses, including voluntary waiver, justification, and waiver by operation of law.[108]  The shortcoming of this remedy is that it applies only to licensed health care providers[109] who are subject to evidentiary privileges, such as physicians, psychiatrists, and psychologists.[110]  Thus, a tort action for breach of confidentiality would presumably not lie against health care providers who are neither subject to evidentiary privileges (e.g., nurses, physician assistants, home health aides, physical therapists, etc.) nor licensed by the state (e.g., certain alternative health care providers).  Moreover, this tort would not apply to health care institutions (e.g., hospitals, nursing homes, rehabilitation facilities, etc.), that are either not subject to evidentiary privileges or not subject to a duty of confidentiality pursuant to the relevant licensing statute.  In short, there are simply too many providers and institutions that are likely not within the ambit of this tort, rendering it an ineffective remedy for patients who have been harmed by the use or disclosure of confidential medical information.


            (2) Enforcement Via Specific Statutes


            The other possible enforcement mechanism that Michigan may wish to consider for those harmed by uses and disclosures of medical information is the enactment of a specific statute that supplements HIPAA by allowing enforcement of state and/or federal privacy protections by either: (1) citizens acting as “private attorneys general” (i.e., private right of action statutes); or (2) by state agencies who are specifically authorized to enforce state and/or federal health privacy laws.  Several states, both pre- and post- HIPAA have opted to enact such statutes.


                        (a) Pre-HIPAA Private Right of Action Statutes


Prior to the enactment of HIPAA, various states had enacted statutes to permit private rights of action to remedy a violation of the state’s access or disclosure statutes.   These state statutes vary, however, with regard to the kinds of remedies available to aggrieved patients.  If a patient is denied access to his/her own medical records, state statutes often permit the patient to bring a civil action for equitable relief forcing disclosure to the patient.  Connecticut law, for example, states that a patient who has been refused access to his/her own medical records may file a civil action requesting that the court order the health care provider to disclose such records.[111]  Illinois law is a bit more stringent, stating that a patient denied access may recover expenses and reasonable attorney’s fees incurred in connection with any court ordered enforcement of his/her right to access.[112]


            Other states have opted to permit the recovery of monetary damages beyond merely costs and attorney’s fees.  Louisiana law, for example, states that failure to provide medical records to a patient within 15 days of a written request subjects the provider to a civil action not only for injunctive relief, reasonable attorney fees and expenses,[113] but also that “except for their own gross negligence, such health care providers shall not otherwise be held liable in damages by reason of their compliance with such request or their inability to fulfill the request[,]”[114] thereby implying that providers are also subject to monetary damages in instances of gross negligence.  Montana takes a similar approach, permitting a civil action not only to recover costs/expenses in forcing compliance, but also to recover an additional compensation of up to $5,000 in the event that the provider acted willfully or with gross negligence.[115]   


            Some states even permit recovery of punitive damages.  For example, for violation of its disclosure statute, Rhode Island allows recovery against a provider for attorney’s fees, actual damages, and punitive damages.[116]  California permits a private right of action to recover compensatory damages, attorney’s fees of up to $1,000 and punitives of up to $3,000.[117]


            An intriguing approach to enforcement permits private citizens to bring private civil actions not only to recover personally, but also on behalf of the state.  The Maine statute is a good example.  Under Maine law, intentional disclosures of protected health information (in violation of the comprehensive Maine medical privacy statute) may be the subject of a private civil action by an aggrieved patient, who may obtain not only personal remedies such as injunctive relief and costs, but also civil monetary penalties, which, if awarded by the court, is payable to the State.[118]


                        (b)  Post-HIPAA Enforcement Statutes—the Texas Approach


Another approach can be found in Texas, which enacted a medical information privacy law post-HIPAA which created private civil actions to fill the perceived gap in federal enforcement of HIPAA.  The Texas statute is specifically designed to pick up where HIPAA leaves off, by adding protections not afforded by the federal regulations and by making the federal regulations enforceable by both private citizens and the state.[119]


In some important respects, the Texas statute is broader in reach than HIPAA because it applies to all health care providers (not just those who submit health information in standard electronic format) and directly regulates those who receive or possess such information including, for example, internet sites and business associates.[120]  In addition, the Texas law employs a broader definition of “marketing” than the federal HIPAA regulations[121] and regulates the use of protected health information much more stringently than the federal regulations.[122]  Specifically, the Texas law forbids covered entities from using, disclosing or selling protected health information “without the consent or authorization of the individual who is the subject of the protected health information.”[123]  Recall that the revised regulations issued by the Bush Administration in August 2002 now permit a covered entity to use protected health information to recommend a health-related product or service, even if it is paid by a third party to make such a recommendation.[124]   This means that, under HIPAA, a pharmacy is permitted to send information to patients recommending that they switch to another medicine, even if the pharmacy is paid to do this by a drug company, because this kind of information is health-related.[125]  Under HIPAA, however, a pharmacy could not (without written patient authorization) receive money from a third party to identify patients receiving anti-depressant medications in order to send those patients information about soothing vacation destinations (because such information is not “health-related”). 


            Texas law, by contrast, states that if a covered entity receives (directly or indirectly) any financial incentive or remuneration for the use, access, or disclosure of protected health information, it is considered “marketing”[126]  As such, the covered entity could not sell, use or disclose protected health information unless it obtains the consent or authorization of the patient.[127]  Moreover, even if the individual consents or authorizes the covered entity to sell, use or disclose their protected health information, any written marketing communication must provide the patient with a toll-free number of the entity that is sending the communication and explain the patient’s right to have his/her name removed from the sender’s mailing list.[128]


            The Texas statute is enforceable by both the state and private citizens.  Specifically, the Texas Attorney General is authorized to enforce the statute through actions for injunctive relief and civil monetary penalties.[129]  The statute also explicitly states that violation of the law will subject a licensed health care provider/facility to investigation and disciplinary proceedings by the relevant licensing authority.[130]   If there is evidence that violations of the law  “constitute a pattern or practice,” the statute authorizes the state licensing agency to revoke the individual’s/facility’s license[131] and requires that the individual/entity be “excluded from participating in any state-funded health care program,”[132] such as Medicaid.  Finally, the Texas law explicitly leaves open the possibility of private rights of action by aggrieved citizens, stating that “[t]his chapter does not affect any right of a person under other law to bring a cause of action or otherwise seek relief with respect to conduct that is a violation of this chapter.”[133]`


            Because the Texas statute was enacted post-HIPAA, its continued viability (in terms of preemption issues) is not in doubt.  Moreover, by making direct reference to HIPAA and explicitly “taking up where HIPAA leaves off,” it creates a simpler, more efficient regulatory scheme.  Another benefit of the Texas approach is that it creates three layers of possible enforcement of the federal privacy rules: (1) HHS; (2) the state; and (3) private citizens.  In this manner, if the federal government is unwilling or unable to bring an enforcement action, either the state or private citizens may step in fill the regulatory void.  It is the authors’ belief that the Texas approach would be the best approach for the state of Michigan, should the state legislature wish to enact medical information privacy laws post-HIPAA.



IV.  Conclusion


            Although the federal government has recognized the importance of protecting the privacy of medical information through the enactment of HIPAA and the promulgation of its privacy rules, the federal law clearly offers only a minimum level of privacy protection.  It is incumbent upon the states, therefore, to fill the regulatory gaps in HIPAA by enacting laws that provide greater protections to their citizens. 


            This report takes the first step toward providing those protections for the citizens of Michigan by identifying the major gaps in HIPAA and suggesting possible state actions to fill those gaps.  Although there are many ways to address these regulatory voids, perhaps the simplest, most efficient and comprehensive approach is exemplified by the new privacy law enacted in Texas, which explicitly references the HIPAA final regulations and proceed to “pass through” those regulations to state law (for enforcement purposes) and expand upon them by regulating entities (e.g., business associates and internet sites) and activities (e.g., employing a broader definition of marketing) not covered by HIPAA.  At a minimum, it seems likely that, in order for the HIPAA regulations to be meaningful, some sort of expanded enforcement legislation needs to be enacted at the state level, either by permitting state authorities to sue/prosecute for violations of the federal regulations, or by permitting private individuals to bring civil actions for damages.  We urge the MLRC to consider the recommendations in this report and look forward to assisting the Commission in its continued effort to improve the privacy of health information for Michigan’s citizens.

[1]Pub. L. No. 104-191, 110 Stat. 1936 (1996).  The initial set of final regulations was issued in the waning days of the Clinton Administration.  See 65 Fed. Reg. 82,801 (Dec. 28, 2000).

[2]67 Fed. Reg. 53, 182 (Aug. 14, 2002).


[4]Press Release, U.S. Dep’t of Health and Human Services, Modifications to the Standards for Privacy of Individually Identifiable Health Information—Final Rule (Aug. 9, 2002), available at

[5]Pub. L. No. 104-191, Title II, Subtitle F, § 264(c)(1), 110 Stat. 2033 (1996).


[7]65 Fed. Reg. 82,801 (Dec. 28, 2000).

[8]66 Fed. Reg. 12,738 (Mar. 20, 2002).

[9]67 Fed. Reg. 53,182 (Aug. 14, 2002).

[10]65 Fed. Reg. 82,799 (Dec. 28, 2000) (defining “health plan”).  The definition of health plan is quite broad, including, inter alia, self-insured ERISA plans, HMOs, traditional health insurance plans, Medicare, Medicaid, Medigap policy issuers, issuers of long-term care insurance, employee welfare benefit plans that offer health benefits, CHAMPUS, the Indian Health Service, and SCHIP plans.  Id.  See also Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at § 1171(5).

[11]“Health care clearinghouse” is defined as a “public or private entity, including a billing service, repricing company, community health management information system or community health information system, and ‘value added’ networks and switches, that does either of the following functions:

(1)   Processes or facilitates the processing of health information received from another entity in nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.

(2)   Receives a standard transaction from anther entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

Id. at 82,799.  See also Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at § 1171(2).

[12]“Health care provider” is defined to include “any [ ] person or organization who furnishes, bills, or is paid for health care in the normal course of business.” 65 Fed. Reg. 82,799 (Dec. 28, 2000). See also Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at § 1171(3).

[13]Examples of the transmission of health information in electronic form include, inter alia, the filing of health claims or equivalent encounter information, enrollment or disenrollment in a health plan, determining eligibility for a health plan, health plan payment and remittance, and referral certification and authorization.  See Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936, at

§ 1173(a)(2).

[14]65 Fed. Reg. 82,799 (defining “covered entity”).

[15]Administrative Simplification Compliance Act, Pub. L. No. 107-105, 115 Stat. 1003, at § 3.  This law was signed by President Bush on December 27, 2001.

[16]Id.  The Administrative Simplification Compliance Act states that the Secretary of HHS “shall waive” the requirement for submission of claims in electronic format if:  (1) there is no method available for the submission of claims in an electronic format; or (2) the entity submitting the claim is a small provider of services or supplier; and (3) may waive the requirements in such unusual circumstances as the Secretary finds appropriate.  Id.  See also id. at § 3(a)(2) (defining “small provider”).

[17]65 Fed. Reg. at 82,801.  The Secretary may waive the 180 day time limit for good cause.  Id.

[18]Id. at 82,802.



[21]42 U.S.C. § 1320d-5 (2003).

[22]Id. at § 1320d-6(b)(1).

[23]Id. at § 1320d-6(b)(2).

[24]Id. at § 1320d-6(b)(3).

[25]See Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, Title II, Subtitle F, § 264(c)(2), 110 Stat. 2033 (1996) (“A [health privacy] regulation promulgated [by HHS] shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed by regulation.”).

[26]See id. at 82, 801.  The final regulation defines a “more stringent “ state laws one which meets one or more of the following criteria:

(1)   With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:

( i) required by the Secretary in connection with determining whether a covered entity is in compliance with this subchapter, or

(ii) To the individual who is the subject of the individually identifiable health information.

(2)   With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable

(3)   With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.

(4)   With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope of duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the authorization or consent, as applicable.


[27]Id. at 82,800. See also 67 Fed. Reg. 53182, 53,266 (Aug. 14, 2002) (amending definition of “more stringent”).

[28]Id. at 82,801.




[32]See 65 Fed. Reg. 82,510, at § 164.506(a).

[33]Id. at 82,810.


[35]Id. at 82,810, at § 164.506(b).

[36]67 Fed. Reg. 53,182, 53,208-53,211.

[37]See 67 Fed. Reg. 53,238-53,243 (discussing modifications to Section 164.520, dealing with notice of privacy practices for protected health information).

[38]67 Fed. Reg. at 53,243 (“The Department clarifies that no special or separate mailings are required to satisfy the notice distribution requirements.”).

[39]67 Fed. Reg. at 53,239.


[41]See Mont. Code Ann. § 50-16-525(1) (2002); id. at § 50-16-526.  The statute permits unauthorized disclosure on a “needs to know” basis in certain specific situations.  Id. at § 50-16-529-530.  State officials may enforce the Act, id. at § 50-16-552, or aggrieved citizens may institute private rights of action if harmed by unlawful disclosure.  Id. at §50-16-553.

[42]65 Fed. Reg. 82,510, 82,810, at § 164.506(a).

[43]See 65 Fed. Reg. 82,819 at § 164.514(e)(2)(C); see also id. at § 164.514(e)(3)(i).

[44]The final regulation states:

Notwithstanding any provision of this subpart, other than the transition provisions in § 164.532, a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of:

                        (A)  A face-to-face communication make by a covered entity to an

individual; or

                        (B) A promotional gift of nominal value provided by the covered entity.

67 Fed. Reg. at 53,268, § 164.508(a)(3)(i).

[45]Joanne Hustead of the Health Privacy Project at Georgetown University stated:

Due to the final modifications released in August 2002, the HIPAA privacy regulation has been furthered weakened. The Health Privacy Project is particularly concerned by HHS’s decision to eliminate the provider consent requirement and to open up people’s medical files for marketing activities with prior authorization.  While HHS claims to have strengthened the marketing provisions by requiring prior authorization for marketing, the Department has done quite the opposite: HHS has defined the term ‘marketing’ in a way that effectively legalizes some of the most egregious marketing tactics of the chain drug stores and their partners, the pharmaceutical industry.

Oversight Hearing on Privacy Concerns Raised by the Collection and Use of Genetic Information by Employers and Insurers Before the House Comm. on the Judiciary, Subcomm. on the Constitution, 107th Cong. (Sept. 12, 2002) (statement of Joanne L. Hustead, Senior Counsel, Health Privacy Project, Georgetown Univ.), available at 

[46]The new definition is found in § 164.50, which states as follows:

            Marketing means:

(1) To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made:

                        (i) To describe a health-related product or service (or payment for such

product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about:  the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to health plan enrollee that add value to, but are not part of, a plan of benefits.

                        (ii) For treatment of the individual; or

                        (iii) For case management or care coordination for the individual, or to

direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.

(2) An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.

67 Fed. Reg. at 53,267, § 164.501.

[47]See 67 Fed. Reg. at 53,187 (“[M]any were concerned that a pharmaceutical company could pay a provider for a list of patients with a particular condition or taking a particular medication and then use that list to market its own drug products directly to those patients.  The commenters believed the proposal would permit this to happen under the guise of the pharmaceutical company acting as a business associate of the covered entity . . . . Therefore, the Department is adding language that would make clear that business associate transactions of this nature are marketing. . . . These communications are marketing and can only occur if the covered entity obtains the individual’s authorization . . . .”

[48]See 67 Fed. Reg. at 53,188 (“Covered entities may, however, use protected health information to communicate with individuals about the covered entity’s own health related products or services, the individual’s treatment, or case management or coordination for the individual.  The covered entity does not need an authorization for these types of communications and may make the communication itself or use a business associate.”).

[49]See 67 Fed. Reg. at 53,187 (“The Department does not agree that the simple receipt of remuneration should transform a treatment communication into a commercial promotion of a product or service.  For example, health care providers should be able to and can send patients prescription refill reminders regardless of whether a third party pays or subsidizes the communication.”).

[50]See 67 Fed. Reg. at 53,188 (“The Department believes that certain health care communications such as refill reminders or informing patients about existing or new health care products or services are appropriate, whether or not the covered entity receives remuneration from third parties to pay for them.”).

[51] See 67 Fed. Reg. at 53,188 (“Requiring disclosure and opt-out conditions on these communications. . . would add a layer of complexity to the Privacy Rule that the Department intended to eliminate.  Individuals, of course, are free to negotiate with covered entities for limitations on such uses and disclosures, to which the entity may, but is not required to, agree.”).

[52] Id.

[53]General Overview of Standards for Privacy of Individually Identifiable Health Information, Office of Civil Rights, U.S. Dep’t of Health and Human Services, at 70 (Dec. 3, 2002), available at

[54]See infra Section III(C).

[55]“eHealth has been defined as the ‘the use of emerging information and communication technology, especially the Internet, to improve or enable health and health care.”  T.R. Eng, The eHealth Landscape:  A Terrain Map of Emerging Information and Communication Technologies in Health and Health Care, The Robert Wood Johnson Foundation 20 (2001).

[56]Health Privacy Project, Pew Internet & Am. Life Project Exposed Online:  Why the New Federal Health Privacy Regulation Doesn’t Offer Much Protection to Internet Users 1 (2001) [hereinafter Pew Report].

[57]Margaret A. Winker, et al., Guidelines for Medical and Health Information on the Internet, Am. Medical Ass’n, available at 1905.htm.

[58]Pew Report at 5.

[59]Id. at 23.

[60]Press Release, Federal Trade Comm’n, Eli Lilly Settles FTC Charges Concerning Security Breach (Jan. 18, 2002), available at




[64]Pew Report at 7.


[66]Id at 17.

[67]Tex. Health & Safety Code Ann. § 181.001(b)(1)(A) (2002).

[68]Application of specific personal jurisdiction concepts to internet defendants has been difficult for the courts.  Most courts seemed to have embraced a “sliding scale” approach that permits the exercise of specific personal jurisdiction only when the internet defendant knowingly reaches out to interact with citizens of the forum state.  See, e.g., Zippo Manufacturing Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119, 1124 (W.D. Pa. 1997); Young v. New Haven Advocate, 315 F.3d 256 (4th Cir. 2002); Revell v. Lidov, 317 F.3d 467 (5th Cir. 2002).

[69]This is, of course, the famous test pronounced in International Shoe.  International Shoe  Co. v. Washington, 326 U.S. 310, 316 (1945).

[70]See, e.g., Consolidated Freightways Corp. v. Kassel, 450 U.S. 662 (1981) (invalidating Iowa statute banning the use of double-trailer trucks as placing an undue burden on interstate commerce); Edgar v. MITE Corp., 457 U.S. 624 (1982) (invalidating Illinois statute restricting corporate takeovers because of undue burden on interstate commerce).

[71]See, e.g., Minnesota v. Clover Leaf Creamery Co., 449 U.S. 456 (1981); CTS Corp. v. Dynamics Corp. of America, 481 U.S. 69 (1987).

[72]See Breard v. Alexandria, 341 U.S. 622 (1951) (upholding local ordinance prohibiting unsolicited door-to-door solicitation).

[73]See Pennoyer v. Neff, 95 U.S. 714, 722 (1877) (“[E]very State possesses exclusive jurisdiction and sovereignty over persons and property within its territory.”); Burnham v. Superior Court, 495 U.S. 604, 610 (1990) (“Among the most firmly established principles of personal jurisdiction in American tradition is that the courts of a State have jurisdiction over nonresidents who are physically present in the State.”).

[74]Margaret A. Winker, et al., Guidelines for Medical and Health Information Sites on the Internet, available at

[75]81% of those who seek information on the internet want the right to sue a site that violates its own privacy policy.  Pew Report at 5.

[76]See Md. Code Ann. § 4-3A-01-05 (2002).



[77]See the Preliminary Report for a detailed discussion of these Michigan laws relating to sensitive medical information.

[78]See supra Section II© for a discussion of HIPAA’s preemptive scope.

[79]See Mich. Comp. Laws § 37.1202 (workplace discrimination); Id. at § 550.1401 and § 550.3407b (health insurance discrimination).

[80]See Mich. Comm’n on Genetic Privacy & Progress, Final Report & Recommendations 46 (Feb. 1999).

[81]Id. (“After the federal government enacts privacy legislation the state can conduct an analysis to determine the need for any state legislation.”).

[82]See Janet L. Dolgin, Personhood, Discrimination and the New Genetics, 66 Brooklyn L. Rev. 755, 765 (2001).

[83]See Eric Mills Holmes, Solving the Insurance/Genetic Fair/Unfair Discrimination Dilemma in Light of the Human Genome Project,  85 Ky. L. J. 503, 571-575 (1997) (documenting the stigmatization and psychological trauma associated with genetic information).

[84]65 Fed.Reg. at 82,811.  There are a few limited exceptions in which authorization is not required. See id.


[86]See Cal. Ins. Code §§ 742.407, 10123.35 (Deering 2003).

[87]See N.Y. Civ. Rights Law § 79-1(Consol. 2003).

[88]See Mo. Rev. Stat. § 375.1309 (2003).

[89]67 Fed. Reg. at 53,252 (“The Department does not have the statutory authority to hold business associates, that are not also covered entities, liable under the Privacy Rules.”).

[90]See 65 Fed. Reg. 82,798, § 160.103 (defining “business associate”).

[91]Id. at 82,808, § 164.504(e)(2)(i)-(ii).

[92]Id. at 82,808, § 164.504(e)(1).


[94]Id. See also 67 Fed. Reg. at 53,252 (“The Privacy Rule does not require a covered entity to actively monitor the actions of its business associates nor is the covered entity responsible or liable for the actions of its business associates.  Rather, the Rule only requires that, where a covered entity knows of a patter of activity or practice that constitutes a material breach or violation of the business associate’s obligations under the contract, the covered entity take steps to cure the breach or end the violation.”).

[95]See Texas Health & Safety Code Ann. § 181.001(b)(1) (2002) (including business associates in the definition of “covered entity”).

[96]Joy L. Pritts, Altered States: State Health Privacy Laws and the Impact of the Federal Health Privacy Rule, 2 Yale J. Health Pol’y L. & Ethics 325, 344 (2002) (citing Louis Altarescu, Address at the Health Privacy Project’s National Consumers’ Summit on Navigating the New Federal Health Privacy Regulations (Feb. 5, 2001)).

[97]See Summary of HIPAA Privacy Rule, Health Privacy Project, Institute for Health Care Research & Policy, Georgetown University, Sept. 13, 2002, at 33 (“[B]ecause the new regulation creates a new ‘duty of care’ with respect to health information, it is possible that violations may be the grounds of state tort actions.”).

[98]See, e.g., Winstead v. Sweeney, 205 Mich. App. 664, 517 N.W.2d 874 (Mich. Ct. App. 1994); Fry v. Ionia Sentinel-Standard, 101 Mich. App. 725, 300 N.W.2d 687 (Mich. Ct. App. 1980).  Tennessee has enacted a specific statute explicitly acknowledging that a civil action based on invasion of privacy may be brought in the event of inappropriate use/disclosure of a patient’s medical information.  See Tenn. Code Ann. § 68-11-1504 (2002).

[99]See Saur v. Probes, 190 Mich. App. 636, 476 N.W.2d 496 (Mich. Ct. App. 1991).

[100]Doe v. Mills, 212 Mich. App. 73, 80, 536 N.W.2d 824 (Mich. Ct. App. 1995); see also Winstead v. Sweeney, 205 Mich. App. 664, 668, 517 N.W.2d 874 (Mich. Ct. App. 1994); Fry v. Ionia Sentinel-Standard, 101 Mich. App. 725, 728-29, 300 N.W.2d 687 (Mich. Ct. App. 1980) (citing Restatement (Second) of Torts § 652D).

[101]Doe, 212 Mich. App. at 82-83 (holding that plaintiffs’ plans to obtain an abortion is private information) (citing Swickard v. Wayne Co. Medical Examiner, 438 Mich. 536, 560, 475 N.W.2d 304 (Mich. 1991). See also Y.G. v. Jewish Hosp. of St. Louis, 795 S.W.2d 488 (Mo. Ct. App. 1990) (concluding that non-consensual publicity of plaintiff’s participation in IVF process stated a claim for invasion of privacy).

[102]212 Mich. App. 73, 536 N.W.2d 824 (Mich. Ct. App. 1995).

[103]212 Mich. App. at 77.

[104]Id. at 78.

[105]Id. at 80-81 (noting that the trial judge’s opinion suggested that the disclosure of an individual’s intention to obtain an abortion was not actionable as a matter of law when he stated, “Would plaintiffs seriously suggest or argue that one who contemplates or schedules an abortion has committed an act that is highly offensive to a reasonable person?”).

[106]Id. at 83.

[107]Saur v. Probes, 190 Mich. App. 636, 476 N.W.2d 496 (Mich. Ct. App. 1991).

[108]Saur, 190 Mich. App. at 639-40.

[109]The Court of Appeals in Saur justified its recognition of tort liability for breach of confidence as follows:

Also particularly compelling in favor of recognizing a legal duty to maintain patient confidentiality is this state’s medical licensing statute. . . . A physician is ethically obligated under the licensing statute not to disclose information obtained through the physician-patient relationship.  In light of a psychiatrist’s ethical obligation to maintain patient confidences, as well as the state’s interest in preserving its policy of protecting physician-patient confidences, we conclude that a legal duty does exist on the part of a psychiatrist not to disclose privileged communications.

See id. at 639.

[110]See id. at 638-39 (“[T]hese statute [creating evidentiary privileges for psychiatrists, psychologists and physicians] do exhibit this state’s policy of promoting physician-patient confidences absent a superseding public or private interest.”).

[111]Conn. Gen. Stat. § 20-7c (2001).  See also N.H. Rev. Stat. Ann. § 151:30 (2002).

[112]735 Ill. Comp. Stat. Ann. 5/8-2003 (West 2002).

[113]La. Rev. Stat. Ann. § 40:1299.96(A)(2)(c) (West 2002).


[115]Mont. Code Ann. § 50-16-553 (2002).

[116]R.I. Gen. Laws § 5-37.3-4(a)(1) (2002).  In addition, the Rhode Island statute permits the state to seek recovery of a civil monetary penalty of up to $5,000 per violation and/or imprisonment for up to 6 months.  Id. at § 5-37.3-4(a)(3).

[117]Cal. Civil Code §56.35 (Deering 2001).

[118]Me. Rev. Stat. Ann. tit. 22, § 1711-C(13) (West 2001).  The CMPs may not exceed $5,000, plus costs, unless the court finds the violations occurred after “due notice of the violation conduct with sufficient frequency to constitute a general business practice,” in which case the CMPs may be imposed up to $10,000 for individual health care providers and $10,000 for health care facilities.  Id.  The Maine statute also states that the aggrieved patient may pursue, in a private civil action “all available common law remedies, including but not limited to an action based on negligence.”  Id.

[119]See Texas Health & Safety Code Ann. § 181.001 et seq. (Vernon 2002).

[120]Id. at § 181.1001(b)(1).

[121]Id. at § 181.1001(b)(4).

[122]Id. at § 181.152.

[123]Id. at § 181.152(a). The statute also prohibits coercing an individual’s consent.  Id.

[124]See 67 Fed. Reg. 53,182, 53,187 (“The Department does not agree that the simple receipt of a remuneration should transform a treatment communication into a commercial promotion of a product or a service.”).

[125]67 Fed. Reg. at 53,187 (“For example, health care providers should be able to, and can, send patients prescription refill reminders regardless of whether a third party payors subsidizes the communication.”).

[126]Tex. Health & Safety Code Ann. § 181.001(b)(5) (Vernon 2002).

[127]Id. at § 181.152(a).

[128]Id. at § 181.152(b).

[129]Id. at § 181.201.  CMPs may be imposed of up to $3,000 per violation or, if the court finds violations “constitute a pattern or practice,” CMPs may be assessed up to $250,000.  Id.

[130]Id. at § 181.202. 


[132]Id. at § 181.203.

[133]Id. at § 181.204.