Assessing Public and Private Rights of Action to Police Health Data Sharing

Simon, David A.; Shachar, Carmel; Glenn Cohen, I.

doi:10.1007/978-981-99-6540-3_3

David A. Simon⁷,
Carmel Shachar⁸ &
I. Glenn Cohen⁹

Part of the book series: Perspectives in Law, Business and Innovation ((PLBI))

162 Accesses

Abstract

Data is an integral part of healthcare delivery. A growth in digital technologies has produced large swaths of health data that contain individuals’ personal, and often sensitive, information. A key question for policymakers is how to regulate the collection, storage, sharing, and disclosure of this information. In this chapter, the authors evaluate two different types of regulatory enforcement mechanisms: public rights of action (where the government sues) and private rights of action (where private persons sue). They use a recent case to illustrate the advantages and drawbacks of private rights of action in health data privacy cases, and then use this analysis to contrast them with public rights of action. Their analysis suggests that public and private rights of action should be viewed as complementary regulatory tools, rather than competing alternatives. In short, both public and private rights of action have important roles in regulating health data. To ensure private rights are effective regulatory tools, policy makers should pay particular attention to how those rights of action are designed and implemented.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic

EUR 32.99 /Month

Get 10 units per month
Download Article/Chapter or Ebook
1 Unit = 1 Article or 1 Chapter
Cancel anytime

Subscribe now

Buy Now

Chapter: EUR 29.95; Price includes VAT (Germany)

eBook: EUR 117.69; Price includes VAT (Germany)

Hardcover Book: EUR 160.49; Price includes VAT (Germany)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
Wood (2017), (Accessed 14 February 2023).
2.
Dinerstein v. Google, LLC, 484 F. Supp. 3d 561 (2020). The case is currently on appeal at the Seventh Circuit.
3.
Dinerstein, 484 F. Supp. 3d at 569–570.
4.
Dinerstein, 484 F. Supp. 3d at 566, 568.
5.
Dinerstein, 484 F. Supp. 3d at 570.
6.
Dinerstein, 484 F. Supp. 3d at 569.
7.
E.g., Calhoun v. Google LLC, 526 F. Supp. 3d 605, 617 (N.D. Cal. 2021); In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 979 (N.D. Cal. 2016); Austin-Spearman v. AARP & AARP Servs. Inc., 119 F. Supp. 3d 1, 7 (D.D.C. 2015).
8.
Health Insurance Portability and Accountability Act of 1996, § 262 et seq., 42 U.S.C.A. § 1320d, et seq.
9.
45 C.F.R. §§ 160, 164.102–164.106, 164.500–164.534.
10.
45 C.F.R. §§ 160, 164.102–164.106, 164.302–164.318.
11.
E.g., Healthcare Finance News (2023) (Accessed 14 February 2023).
12.
Hall et al. (2018), pp. 124–127.
13.
15 U.S.C. § 41 et seq.
14.
15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), 56(a)(1), 57b.
15.
Complaint, U.S. v. Easy Healthcare Corp., 23-cv-3107, at *2 (filed May 17, 2023); Stipulated Order, U.S. v. Easy Healthcare Corp., 23-cv-3107 (filed May 17, 2023).
16.
15 U.S.C. §§ 1681e(b), 1681s.
17.
United States v. AppFolio, 1:20-cv-03563, Complaint, at *5-6 (filed Dec. 12, 2020). United States v. AppFolio, 1:20-cv-03563, Stipulated Judgment (January 12, 2021).
18.
16 C.F.R. § 312.
19.
16 C.F.R. § 312.3.
20.
16 C.F.R. § 312.3.
21.
FTC may develop information in a civil investigation that can support a criminal prosecution by the DOJ. https://www.ftc.gov/enforcement/criminal-liaison-unit (Accessed 14 February 2023).
22.
Pub. L. 111-5, Feb. 17, 2009, 123 Stat. 115, § 1307.
23.
16 C.F.R. § 318.7 et seq.
24.
16 C.F.R. § 318.7. We emphasize that the laws discussed are federal and apply to patients and health systems anywhere in the U.S. Some individual U.S. states, like California and Virginia have passed their own privacy laws with implications for health data.
25.
These are not the only features of public enforcement of public law, but a few salient ones we highlight.
26.
The Department of Health and Human Services’ (HHS) Office for Civil rights enforces the HIPAA Privacy and Security Rules. If a possible criminal violation has occurred, HHS may refer the case to the Department of Justice (DOJ). State Attorneys General may also bring civil actions on behalf of state residents to enforce violations of the Privacy and Security Rules. 42 U.S.C. § 1320d-5(d). For unfair and deceptive practices, the Federal Trade Commission brings enforcement actions. Like HHS in the context of HIPAA, the FTC may work with or refer civil cases to DOJ for criminal prosecution. The FTC is also charged with enforcing COPPA and the Health Breach Notification Rule, bringing civil enforcement actions against companies that may have violated the law.
27.
Of course, federal statutes can also serve as the basis for argument in a private lawsuit, such as in the tort doctrine of negligence per se. For a discussion of this intersection, see, e.g., Geistfeld (2014).
28.
Agencies can do this using a variety of tools, including rulemaking, adjudication, licensing, enforcement, and policy-setting (Ruhl and Robisch 2016). Agencies also use tools to maintain internal control over discretion and keep bureaucrats accountable to the agency (Metzger and Stack 2017).
29.
Remarks by Chair Lina M. Khan on the Health Breach Notification Rule Policy Statement.
Commission File No. P205405, September 15, 2021, available at: https://www.ftc.gov/system/files/documents/public_statements/1596360/remarks_of_chair_lina_m_khan_regarding_health_breach_notification_rule_policy_statement.pdf (Accessed 14 February 2023).
30.
Federal Trade Commission (2023), (Accessed 15 February 2023). For a more recent case demonstrating a commitment to enforcement of the Health Breach Notification Rule, see the Easy Healthcare case, below.
31.
Ruhl and Robisch (2016) (describing how agencies use discretion to claim they have no authority over a problem).
32.
US v. Kurbo, Inc. & WW International, Inc., 22-CV-946, Complaint (filed February 16, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/filed_complaint.pdf (Accessed 19 June 2023).
33.
Federal Trade Commission (2022), (Accessed 15 February 2023).
34.
U.S. v. Kurbo, Inc. & WW International, Inc., 22-CV-946, Complaint at *14-15 (filed February 16, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/filed_complaint.pdf (Accessed 19 June 2023).
35.
Even without tracking children’s data, WW might still make money by selling services or products to children who use the app (or to their parents if the app is “shared” or has parental oversight).
36.
Solove and Hartzog (2014).
37.
Mance (2023), (Accessed 19 June 2023).
38.
5 U.S.C. § 552.
39.
5 U.S.C. § 552. Engstrom (2013, pp. 630–631).
40.
Engstrom (2013).
41.
Mance (2023).
42.
Federal law can also create private rights of action. E.g., 15 U.S.C. § 1681n-o (creating a private right of action under the Fair Credit Reporting Act).
43.
Some claims are authorized explicitly, other times courts find them to exist implicitly (Davis 2014).
44.
Burbank et al. (2013, pp. 648–661).
45.
A federal court applies the rules of Article III standing whenever “Congress creates new private causes of action to vindicate private or public rights.” Spokeo, Inc. v. Robins, 578 U.S. 330, 348 (2016), as revised (May 24, 2016) (Thomas, J., concurring). We note that standing is typically dictated by forum (Article III court versus state court) rather than cause of action. And, although we use the terms “private enforcement” and “private rights of action” interchangeably, we note the distinction between the former, which may arise under common law or federal law, and the latter, which scholars have used to describe enforcement of public law through a legislatively authorized cause of action. We also mean to exclude from discussion “private rights of initiation”: suits by private parties against agencies seeking to require agency action (Stewart and Sunstein 1982, p. 1197).
46.
States also have separate standing doctrines, which do not necessarily follow federal requirements. Wexler v. Wirtz Corp., 809 N.E.2d 1240, 1243 (Ill. 2004) (stating standing requirements); Lebron v. Gottlieb Mem’l Hosp., 930 N.E.2d 895, 917 (Ill. 2010) (noting not required to follow federal standing principles).
47.
Standing is also required in public rights of action, but the statute giving the right typically matches the cognizable injury needed. But see below.
48.
Spokeo, 578 U.S. at 338 (quoting Friends of the Earth, Inc. v. Laidlaw Environmental Services (TOC), Inc., 528 U.S. 167, 180–181 (2000)).
49.
Spokeo, 578 U.S. at 334 (2016) (quoting Friends of the Earth, Inc. v. Laidlaw Environmental Services (TOC), Inc., 528 U.S. 167, 180–181 (2000)).
50.
Dinerstein, 484 F. Supp. 3d at 571. Dinerstein concerned only the standing of the individual plaintiff, not the class members. TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021).
51.
E.g., Burbank et al. (2013, p. 639, n. 2).
52.
Dinerstein, 484 F. Supp. 3d at 577–578.
53.
Dinerstein, 484 F. Supp. 3d at 578.
54.
Dinerstein, 484 F. Supp. 3d at 575 (quoting Bryant v. Compass Grp. USA, Inc., 958 F.3d 617, 619–20 (7th Cir. 2020) (discussing Spokeo).
55.
Although the court suggested the statute in Spokeo did not create a “a degree of risk sufficient to meet the concreteness requirement,” refrained from ruling on the subject, remanding the case to the Ninth Circuit for further consideration. Spokeo, 578 U.S. at 343.
56.
Ramirez, 141 S. Ct. at 2200, 2204-07.
57.
Dinerstein, 484 F. Supp. 3d at 580.
58.
Dinerstein, 484 F. Supp. 3d at 582.
59.
Dinerstein, 484 F. Supp. 3d at 588.
60.
Dinerstein, 484 F. Supp. 3d at 591–592.
61.
Dinerstein, 484 F. Supp. 3d at 594 (quoting Lovgren v. Citizens First Nat. Bank of Princeton, 534 N.E.2d 987, 989 (Ill. 1989)).
62.
Burbank et al. (2013).
63.
Scholz (2022).
64.
E.g., Carpenter (2010).
65.
Scholz (2022).
66.
Cheng (1985).
67.
Dinerstein, 484 F. Supp. 3d at 567.
68.
These are discussed at length in Burbank et al. (2013). See also Scholz (2022) (arguing for using both in privacy regime).
69.
Landes and Posner (1975).
70.
Landes and Posner (1975, p. 36).
71.
Donahue and Witt (2020).
72.
California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code1798.100 et seq.
73.
Proposition 24, California Privacy Rights Act of 2020, amending, Cal. Civ. Code1798.100 - 1798.199.100.
74.
775 Ill. Comp. Stat. 5/ et seq.
75.
E.g., Waggoner v. Nags Head Water Sports, Inc., 141 F.3d 1162 (4th Cir. 1998); Copeland v. Healthsouth/Methodist Rehab. Hosp., LP, 565 S.W.3d 260, 274 (Tenn. 2018).

References

Burbank SB, Farhang S, Kritzer HM (2013) Private enforcement. Lewis Clark Law Rev 17(3):637–722
Google Scholar
Carpenter DP (2010) Reputation and power: organizational image and pharmaceutical regulation at the FDA. Princeton Studies in American Politics, Princeton University Press, Princeton
Google Scholar
Cheng C (1985) Important rights and the private attorney general doctrine comment. Calif Law Rev 73(6):1929–1955
Article Google Scholar
Davis S (2014) Implied public rights of action. Colum L Rev 114(1):1–84
Google Scholar
Donahue N, Witt JF (2020) Tort as private administration. Cornell Law Rev 105(4):1093–1170
Google Scholar
Engstrom DF (2013) Agencies as litigation gatekeepers. Yale Law J 123(3):616–713
Google Scholar
Federal Trade Commission (2022) FTC takes action against company formerly known as weight watchers for illegally collecting kids’ sensitive health data. https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-company-formerly-known-weight-watchers-illegally-collecting-kids-sensitive. Accessed 18 Jun 2023
Federal Trade Commission (2023) First FTC health breach notification rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog/2023/02/first-ftc-health-breach-notification-rule-case-addresses-goodrxs-not-so-good-privacy-practices. Accessed 18 Jun 2023
Geistfeld MA (2014) Tort law in the age of statutes. Iowa Law Rev 99(3):957–1020
Google Scholar
Hall MA, Orentlicher D, Bobinski MA, Bagley N, Cohen IG (2018) Health care law and ethics. Wolters Kluwer Law Bus 127–154
Google Scholar
Healthcare Finance News (2023) Anthem pays $16 million in record HIPAA settlement for data breach. https://www.healthcarefinancenews.com/news/anthem-pays-16-million-record-hipaa-settlement-data-breach. Accessed 19 Jun 2023
Landes WM, Posner RA (1975) The private enforcement of law. J Leg Stud 4(1):1–46
Article Google Scholar
Mance A (Forthcoming 2023) How private enforcement exacerbates climate change. Cardozo Law Rev. https://papers.ssrn.com/abstract=4204954. Accessed 18 Jun 2013
Metzger GE, Stack KM (2017) Internal administrative law. Mich Law Rev 115(8):1239–1307
Article Google Scholar
Ruhl JB, Robisch K (2016) Agencies running from agency discretion. William Mary Law Rev 58(1):97–182
Google Scholar
Scholz LH (2022) Private rights of action in privacy law. William Mary Law Rev 63(05):1639–1694
Google Scholar
Seth D (2014) Implied public rights of action. Columbia Law Rev 114(1):1–84
Google Scholar
Solove D, Woodrow H (2014) The FTC and the new common law of privacy. Columbia Law Rev 114(3):583–676
Google Scholar
Stewart RB, Sunstein CR (1982) Public programs and private rights. Harv Law Rev 95(6):1193–1322
Article Google Scholar
Wood M (2017) UChicagoMedicine, The Forefront. UChicago Medicine Collaborates with Google to use machine learning for better health care. https://www.uchicagomedicine.org/forefront/research-and-discoveries-articles/uchicago-medicine-collaborates-with-google-to-use-machine-learning-for-better-health-care. Accessed 18 Jun 2023

Download references

Author information

Authors and Affiliations

Northeastern University School of Law, Cambridge, MA, USA
David A. Simon
Center for Health Law and Policy Innovation, Harvard Law School, Cambridge, MA, USA
Carmel Shachar
Petrie-Flom Center for Health Law Policy, Biotechnology, & Bioethics, Harvard Law School, Cambridge, MA, USA
I. Glenn Cohen

Authors

David A. Simon
View author publications
You can also search for this author in PubMed Google Scholar
Carmel Shachar
View author publications
You can also search for this author in PubMed Google Scholar
I. Glenn Cohen
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

CeBIL, University of Copenhagen, København S, Denmark
Marcelo Corrales Compagnucci
CeBIL, University of Copenhagen, Copenhagen K, Denmark
Timo Minssen
Kyushu University, Fukuoka, Japan
Mark Fenwick
University of Cambridge, Cambridge, UK
Mateo Aboy
University of Cambridge, Cambridge, UK
Kathleen Liddell

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Simon, D.A., Shachar, C., Glenn Cohen, I. (2024). Assessing Public and Private Rights of Action to Police Health Data Sharing. In: Corrales Compagnucci, M., Minssen, T., Fenwick, M., Aboy, M., Liddell, K. (eds) The Law and Ethics of Data Sharing in Health Sciences. Perspectives in Law, Business and Innovation. Springer, Singapore. https://doi.org/10.1007/978-981-99-6540-3_3

Download citation

DOI: https://doi.org/10.1007/978-981-99-6540-3_3
Published: 20 December 2023
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-6539-7
Online ISBN: 978-981-99-6540-3
eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics