Confidentiality of Individually Identifiable Health Information. H. Enforcement


We recommend that any patient whose rights have been violated knowingly or negligently be permitted to bring an action, in a U.S. District Court or any court of competent jurisdiction for actual damages and for equitable relief. We recommend that actual damages encompass nonpecuniary losses such as physical and mental injury as well as pecuniary losses. We recommend that in the case of knowing violation, attorneys' fees and punitive damages should be available.

We recommend that common law liability be eliminated for any disclosure that is permitted by the legislation we recommend and is not otherwise prohibited by State or Federal statute.

We recommend that members of institutional review boards and their parent entities not be liable for a good faith determination of the propriety of a dis closure for research under the provisions allowing for such disclosure.

We recommend that there be no liability for a disclosure based on good faith reliance on a certification by a government authority or other person that a requested disclosure is in accord with the law.

The ability to seek redress for violations is an important element of confidentiality protection. There have been, and will continue to be, improper disclosures of health information, through negligence or deliberate choice. The victims of such disclosures should be able to seek civil redress.

The Privacy Working Group of the President's Information Infrastructure Task Force identified this as a basic principle in its Principles for Providing and Using Personal Information:

III.C. Redress Principle
Individuals should, as appropriate, have a means of redress if harmed by an improper disclosure or use of personal information.

The President's statement on the Global Information Infrastructure, A Framework for Global Electronic Commerce (June 1997) reiterates this point:

Under these principles, consumers are entitled to redress if they are harmed by improper use or disclosure of personal information or if decisions are based on inaccurate, outdated, incomplete, or irrelevant personal information.

Other statutes establishing confidentiality obligations provide a cause of action, such as the Fair Credit Reporting Act, which permits suits in the U.S. District Courts, or in any other court of competent jurisdiction, to enforce liabilities under that act (15 U.S.C. §§ 617-618). Cable television operators are forbidden to disclose subscriber information except under defined circumstances, and violations give rise to civil liability, with a cause of action in the U.S. District Court (47 U.S.C. § 551(f)). The wrongful disclosure of video tape rentals or sales information gives rise to a similar cause of action (18 U.S.C. § 2710(c)). New restrictions on disclosure of State motor vehicle information were imposed by the Violent Crime Control and Law Enforcement Act of 1994, and individuals have a cause of action in the U.S. District Court against persons who obtain or disclose information in violation of the restrictions (Pub. L. No. 103-322, § 300002, 108 Stat. 1796, 2101, 18 U.S.C. § 2724).

We recommend that the legislation take a balanced approach that compensates, in the case of negligence, only for actual losses, although not only monetary losses. In the case of a knowing violation, punitive damages and attorneys' fees should also be available.

Our recommended definition of actual damages envisages better recovery possibilities than the Privacy Act of 1974, whose damages provisions (subsections (g)(1)(D) and (g)(4))) have in some instances been read to mean only pecuniary damages, and whose standard for recovery is that the Federal agency acted intentionally or wilfully ((g)(4)). The Privacy Protection Study Commission, responding to a specific Congressional request to address this issue, recommended expansion of the Privacy Act recovery to both special and general damages (Personal Privacy in an Information Society 530-1 (1997)). The limitations of the Privacy Act in providing satisfactory remedies has been noted by various commentators, including Paul M. Schwartz and Joel R. Reidenberg, Data Privacy Law § 5-5(a)(1996).

We recommend that the rights provided by the legislation be enforceable in any court of competent jurisdiction, as in the case of the Fair Credit Reporting Act, and we recommend that there be nothing to prevent States from providing other remedies in State law for violation of the Federal law.

We recommend that recovery for the wrongful behavior of public employees acting in an official capacity be against their agencies, in accord with current law.

Some current enforcement of privacy rights occurs through litigation under common law theories of a general public policy of medical confidentiality (derived from privilege and licensing statutes), contract, malpractice, and tortious invasion of privacy. Federal confidentiality legislation should bring certain and uniform standards to the redress and recovery process, and thus we recommend that there be no common law recovery for uses and disclosures of informa tion permitted by the Federal law and not otherwise prohibited.

These recommendations are intended to protect record holders and those who assist in making determinations about disclosures against liability based on those disclosures if they act in good faith. Record holders should be able to, but should not have to, make their own inquiries into requests for allowable disclosures in the absence of a facial irregularity in the request.


We recommend that there be authority to impose civil money penalties on any covered entity which has demonstrated a pattern or practice of failure to comply with the provisions of the law.

We recommend this additional remedy for grave or continuing offenses. The procedural aspects of the penalties could be similar to those for wrongdoing in the Medicaid and Medicare programs, under section 1128A of the Social Security Act.


We recommend that the alternative dispute resolution procedures be available for disputes giving rise to civil liability under the law.


We recommend criminal penalties (including fine and imprisonment) at the felony level for obtaining health information under false pretenses, for knowing and unlawful obtaining of health information, and for knowing and unlawful use or disclosure of health information.

We recommend that the penalties be higher for any of these acts performed for profit or monetary gain.

Activities that should violate the law would be requesting or obtaining health information under false pretenses from a covered entity; knowingly obtaining protected health information with the intent to sell, transfer, or use the information for profit or monetary gain; knowingly selling, transferring, or using health information for profit or monetary gain; or knowingly using or disclosing health information in violation of the law's requirements for nondisclosure.

The penalties we recommend are modeled on the penalties provided in the Health Insurance Port ability and Accountability Act of 1996 for violation of disclosure restrictions in the administrative simplification provisions of that Act (Social Security Act § 1177, 42 U.S.C. § 1320d-6).