Electronic medical records (“EMRs”) have helped healthcare organizations improve patient care, but EMRs are susceptible to exposing the confidentiality of patients’ medical records to identity thieves and members of the general public. The federal enforcement of patient privacy law—notably the Health Insurance Portability and Accountability Act (“HIPAA”), which was designed to deter and punish breaches of patient privacy—has failed to keep pace with new privacy risks posed by healthcare technology. Although federal legislation now allows state Attorneys General to file suit under HIPAA, for reasons explained in this Article, they too will not enforce HIPAA effectively. Because institutional enforcement of HIPAA does not adequately protect patient privacy in a digital healthcare environment, this Article proposes a multifaceted solution. In doing so, this Article contributes a framework for categorizing different types of patient privacy breaches, which demonstrates that improving HIPAA enforcement and strengthening patient privacy protections will require different types of solutions depending on the type of breach.

First Page