Abstract
Data is an integral part of healthcare delivery. A growth in digital technologies has produced large swaths of health data that contain individuals’ personal, and often sensitive, information. A key question for policymakers is how to regulate the collection, storage, sharing, and disclosure of this information. In this chapter, the authors evaluate two different types of regulatory enforcement mechanisms: public rights of action (where the government sues) and private rights of action (where private persons sue). They use a recent case to illustrate the advantages and drawbacks of private rights of action in health data privacy cases, and then use this analysis to contrast them with public rights of action. Their analysis suggests that public and private rights of action should be viewed as complementary regulatory tools, rather than competing alternatives. In short, both public and private rights of action have important roles in regulating health data. To ensure private rights are effective regulatory tools, policy makers should pay particular attention to how those rights of action are designed and implemented.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Wood (2017), (Accessed 14 February 2023).
- 2.
Dinerstein v. Google, LLC, 484 F. Supp. 3d 561 (2020). The case is currently on appeal at the Seventh Circuit.
- 3.
Dinerstein, 484 F. Supp. 3d at 569–570.
- 4.
Dinerstein, 484 F. Supp. 3d at 566, 568.
- 5.
Dinerstein, 484 F. Supp. 3d at 570.
- 6.
Dinerstein, 484 F. Supp. 3d at 569.
- 7.
E.g., Calhoun v. Google LLC, 526 F. Supp. 3d 605, 617 (N.D. Cal. 2021); In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 979 (N.D. Cal. 2016); Austin-Spearman v. AARP & AARP Servs. Inc., 119 F. Supp. 3d 1, 7 (D.D.C. 2015).
- 8.
Health Insurance Portability and Accountability Act of 1996, § 262 et seq., 42 U.S.C.A. § 1320d, et seq.
- 9.
45 C.F.R. §§ 160, 164.102–164.106, 164.500–164.534.
- 10.
45 C.F.R. §§ 160, 164.102–164.106, 164.302–164.318.
- 11.
E.g., Healthcare Finance News (2023) (Accessed 14 February 2023).
- 12.
Hall et al. (2018), pp. 124–127.
- 13.
15 U.S.C. § 41 et seq.
- 14.
15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), 56(a)(1), 57b.
- 15.
Complaint, U.S. v. Easy Healthcare Corp., 23-cv-3107, at *2 (filed May 17, 2023); Stipulated Order, U.S. v. Easy Healthcare Corp., 23-cv-3107 (filed May 17, 2023).
- 16.
15 U.S.C. §§ 1681e(b), 1681s.
- 17.
United States v. AppFolio, 1:20-cv-03563, Complaint, at *5-6 (filed Dec. 12, 2020). United States v. AppFolio, 1:20-cv-03563, Stipulated Judgment (January 12, 2021).
- 18.
16 C.F.R. § 312.
- 19.
16 C.F.R. § 312.3.
- 20.
16 C.F.R. § 312.3.
- 21.
FTC may develop information in a civil investigation that can support a criminal prosecution by the DOJ. https://www.ftc.gov/enforcement/criminal-liaison-unit (Accessed 14 February 2023).
- 22.
Pub. L. 111-5, Feb. 17, 2009, 123 Stat. 115, § 1307.
- 23.
16 C.F.R. § 318.7 et seq.
- 24.
16 C.F.R. § 318.7. We emphasize that the laws discussed are federal and apply to patients and health systems anywhere in the U.S. Some individual U.S. states, like California and Virginia have passed their own privacy laws with implications for health data.
- 25.
These are not the only features of public enforcement of public law, but a few salient ones we highlight.
- 26.
The Department of Health and Human Services’ (HHS) Office for Civil rights enforces the HIPAA Privacy and Security Rules. If a possible criminal violation has occurred, HHS may refer the case to the Department of Justice (DOJ). State Attorneys General may also bring civil actions on behalf of state residents to enforce violations of the Privacy and Security Rules. 42 U.S.C. § 1320d-5(d). For unfair and deceptive practices, the Federal Trade Commission brings enforcement actions. Like HHS in the context of HIPAA, the FTC may work with or refer civil cases to DOJ for criminal prosecution. The FTC is also charged with enforcing COPPA and the Health Breach Notification Rule, bringing civil enforcement actions against companies that may have violated the law.
- 27.
Of course, federal statutes can also serve as the basis for argument in a private lawsuit, such as in the tort doctrine of negligence per se. For a discussion of this intersection, see, e.g., Geistfeld (2014).
- 28.
- 29.
Remarks by Chair Lina M. Khan on the Health Breach Notification Rule Policy Statement.
Commission File No. P205405, September 15, 2021, available at: https://www.ftc.gov/system/files/documents/public_statements/1596360/remarks_of_chair_lina_m_khan_regarding_health_breach_notification_rule_policy_statement.pdf (Accessed 14 February 2023).
- 30.
Federal Trade Commission (2023), (Accessed 15 February 2023). For a more recent case demonstrating a commitment to enforcement of the Health Breach Notification Rule, see the Easy Healthcare case, below.
- 31.
Ruhl and Robisch (2016) (describing how agencies use discretion to claim they have no authority over a problem).
- 32.
US v. Kurbo, Inc. & WW International, Inc., 22-CV-946, Complaint (filed February 16, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/filed_complaint.pdf (Accessed 19 June 2023).
- 33.
Federal Trade Commission (2022), (Accessed 15 February 2023).
- 34.
U.S. v. Kurbo, Inc. & WW International, Inc., 22-CV-946, Complaint at *14-15 (filed February 16, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/filed_complaint.pdf (Accessed 19 June 2023).
- 35.
Even without tracking children’s data, WW might still make money by selling services or products to children who use the app (or to their parents if the app is “shared” or has parental oversight).
- 36.
Solove and Hartzog (2014).
- 37.
Mance (2023), (Accessed 19 June 2023).
- 38.
5 U.S.C. § 552.
- 39.
5 U.S.C. § 552. Engstrom (2013, pp. 630–631).
- 40.
Engstrom (2013).
- 41.
Mance (2023).
- 42.
Federal law can also create private rights of action. E.g., 15 U.S.C. § 1681n-o (creating a private right of action under the Fair Credit Reporting Act).
- 43.
Some claims are authorized explicitly, other times courts find them to exist implicitly (Davis 2014).
- 44.
Burbank et al. (2013, pp. 648–661).
- 45.
A federal court applies the rules of Article III standing whenever “Congress creates new private causes of action to vindicate private or public rights.” Spokeo, Inc. v. Robins, 578 U.S. 330, 348 (2016), as revised (May 24, 2016) (Thomas, J., concurring). We note that standing is typically dictated by forum (Article III court versus state court) rather than cause of action. And, although we use the terms “private enforcement” and “private rights of action” interchangeably, we note the distinction between the former, which may arise under common law or federal law, and the latter, which scholars have used to describe enforcement of public law through a legislatively authorized cause of action. We also mean to exclude from discussion “private rights of initiation”: suits by private parties against agencies seeking to require agency action (Stewart and Sunstein 1982, p. 1197).
- 46.
States also have separate standing doctrines, which do not necessarily follow federal requirements. Wexler v. Wirtz Corp., 809 N.E.2d 1240, 1243 (Ill. 2004) (stating standing requirements); Lebron v. Gottlieb Mem’l Hosp., 930 N.E.2d 895, 917 (Ill. 2010) (noting not required to follow federal standing principles).
- 47.
Standing is also required in public rights of action, but the statute giving the right typically matches the cognizable injury needed. But see below.
- 48.
Spokeo, 578 U.S. at 338 (quoting Friends of the Earth, Inc. v. Laidlaw Environmental Services (TOC), Inc., 528 U.S. 167, 180–181 (2000)).
- 49.
Spokeo, 578 U.S. at 334 (2016) (quoting Friends of the Earth, Inc. v. Laidlaw Environmental Services (TOC), Inc., 528 U.S. 167, 180–181 (2000)).
- 50.
Dinerstein, 484 F. Supp. 3d at 571. Dinerstein concerned only the standing of the individual plaintiff, not the class members. TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021).
- 51.
E.g., Burbank et al. (2013, p. 639, n. 2).
- 52.
Dinerstein, 484 F. Supp. 3d at 577–578.
- 53.
Dinerstein, 484 F. Supp. 3d at 578.
- 54.
Dinerstein, 484 F. Supp. 3d at 575 (quoting Bryant v. Compass Grp. USA, Inc., 958 F.3d 617, 619–20 (7th Cir. 2020) (discussing Spokeo).
- 55.
Although the court suggested the statute in Spokeo did not create a “a degree of risk sufficient to meet the concreteness requirement,” refrained from ruling on the subject, remanding the case to the Ninth Circuit for further consideration. Spokeo, 578 U.S. at 343.
- 56.
Ramirez, 141 S. Ct. at 2200, 2204-07.
- 57.
Dinerstein, 484 F. Supp. 3d at 580.
- 58.
Dinerstein, 484 F. Supp. 3d at 582.
- 59.
Dinerstein, 484 F. Supp. 3d at 588.
- 60.
Dinerstein, 484 F. Supp. 3d at 591–592.
- 61.
Dinerstein, 484 F. Supp. 3d at 594 (quoting Lovgren v. Citizens First Nat. Bank of Princeton, 534 N.E.2d 987, 989 (Ill. 1989)).
- 62.
Burbank et al. (2013).
- 63.
Scholz (2022).
- 64.
E.g., Carpenter (2010).
- 65.
Scholz (2022).
- 66.
Cheng (1985).
- 67.
Dinerstein, 484 F. Supp. 3d at 567.
- 68.
- 69.
Landes and Posner (1975).
- 70.
Landes and Posner (1975, p. 36).
- 71.
Donahue and Witt (2020).
- 72.
California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code1798.100 et seq.
- 73.
Proposition 24, California Privacy Rights Act of 2020, amending, Cal. Civ. Code1798.100 - 1798.199.100.
- 74.
775 Ill. Comp. Stat. 5/ et seq.
- 75.
E.g., Waggoner v. Nags Head Water Sports, Inc., 141 F.3d 1162 (4th Cir. 1998); Copeland v. Healthsouth/Methodist Rehab. Hosp., LP, 565 S.W.3d 260, 274 (Tenn. 2018).
References
Burbank SB, Farhang S, Kritzer HM (2013) Private enforcement. Lewis Clark Law Rev 17(3):637–722
Carpenter DP (2010) Reputation and power: organizational image and pharmaceutical regulation at the FDA. Princeton Studies in American Politics, Princeton University Press, Princeton
Cheng C (1985) Important rights and the private attorney general doctrine comment. Calif Law Rev 73(6):1929–1955
Davis S (2014) Implied public rights of action. Colum L Rev 114(1):1–84
Donahue N, Witt JF (2020) Tort as private administration. Cornell Law Rev 105(4):1093–1170
Engstrom DF (2013) Agencies as litigation gatekeepers. Yale Law J 123(3):616–713
Federal Trade Commission (2022) FTC takes action against company formerly known as weight watchers for illegally collecting kids’ sensitive health data. https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-company-formerly-known-weight-watchers-illegally-collecting-kids-sensitive. Accessed 18 Jun 2023
Federal Trade Commission (2023) First FTC health breach notification rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog/2023/02/first-ftc-health-breach-notification-rule-case-addresses-goodrxs-not-so-good-privacy-practices. Accessed 18 Jun 2023
Geistfeld MA (2014) Tort law in the age of statutes. Iowa Law Rev 99(3):957–1020
Hall MA, Orentlicher D, Bobinski MA, Bagley N, Cohen IG (2018) Health care law and ethics. Wolters Kluwer Law Bus 127–154
Healthcare Finance News (2023) Anthem pays $16 million in record HIPAA settlement for data breach. https://www.healthcarefinancenews.com/news/anthem-pays-16-million-record-hipaa-settlement-data-breach. Accessed 19 Jun 2023
Landes WM, Posner RA (1975) The private enforcement of law. J Leg Stud 4(1):1–46
Mance A (Forthcoming 2023) How private enforcement exacerbates climate change. Cardozo Law Rev. https://papers.ssrn.com/abstract=4204954. Accessed 18 Jun 2013
Metzger GE, Stack KM (2017) Internal administrative law. Mich Law Rev 115(8):1239–1307
Ruhl JB, Robisch K (2016) Agencies running from agency discretion. William Mary Law Rev 58(1):97–182
Scholz LH (2022) Private rights of action in privacy law. William Mary Law Rev 63(05):1639–1694
Seth D (2014) Implied public rights of action. Columbia Law Rev 114(1):1–84
Solove D, Woodrow H (2014) The FTC and the new common law of privacy. Columbia Law Rev 114(3):583–676
Stewart RB, Sunstein CR (1982) Public programs and private rights. Harv Law Rev 95(6):1193–1322
Wood M (2017) UChicagoMedicine, The Forefront. UChicago Medicine Collaborates with Google to use machine learning for better health care. https://www.uchicagomedicine.org/forefront/research-and-discoveries-articles/uchicago-medicine-collaborates-with-google-to-use-machine-learning-for-better-health-care. Accessed 18 Jun 2023
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Simon, D.A., Shachar, C., Glenn Cohen, I. (2024). Assessing Public and Private Rights of Action to Police Health Data Sharing. In: Corrales Compagnucci, M., Minssen, T., Fenwick, M., Aboy, M., Liddell, K. (eds) The Law and Ethics of Data Sharing in Health Sciences. Perspectives in Law, Business and Innovation. Springer, Singapore. https://doi.org/10.1007/978-981-99-6540-3_3
Download citation
DOI: https://doi.org/10.1007/978-981-99-6540-3_3
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-6539-7
Online ISBN: 978-981-99-6540-3
eBook Packages: Law and CriminologyLaw and Criminology (R0)