HIPAA Journal is conducting interviews with healthcare professionals, compliance professionals, and industry service providers to find out more about how their experiences with HIPAA, their successes, and the challenges they have and continue to face with HIPAA compliance. This week, Stacey A. Tovino, JD, Ph.D., William J. Alley Professor of Law and Director of Graduate Healthcare Law Programs, The University of Oklahoma College of Law, shared her thoughts.
Tell HIPAA Journal readers about your current position.
I currently serve as the William J. Alley Professor of Law and Director of Graduate Healthcare Law Programs at the University of Oklahoma College of Law. I am an elected member of the American Law Institute and an invited fellow of the American Bar Foundation. My current research focuses on privacy, security, and breach notification law and my privacy, security, and breach notification-related scholarship work is published in textbooks, casebooks, encyclopedias, law reviews, medical and science journals, and ethics and humanities journals, including Duke Law Journal (2022), Notre Dame Law Review (2019), Iowa Law Review (2019), and Alabama Law Review (2018).
What was your first position?
My first post-law school position was as an associate attorney at Vinson & Elkins in Houston, Texas.
What are the main challenges in your position?
My main challenges include keeping up with state law developments relating to privacy, security, and breach notification law.
Tell the readers about your career in the healthcare industry.
I have served as Chair of the AALS Section on Law and Mental Disability (2009), Chair of the AALS Section on Torts and Compensation Systems (2018), Chair of the AALS Section on Law, Medicine, and Health Care (2022), Chair-Elect of the AALS Section on Law and Mental Disability (2021-2022), Chair-Elect of the AALS Section on BioLaw (2021-2022), Chair-Elect of the AALS Section on Law and the Humanities (2022), Chair-Elect of the AALS Section on Law Professors with Disabilities and Allies (2022), and Executive Committee Member of the AALS Section on Teaching Methods (2020-2022).
Prior to joining the faculty at the University of Oklahoma College of Law, I served for a decade as the Judge Jack and Lulu Lehman Professor of Law and the Founding Director of the Health Law Program at the University of Nevada, Las Vegas (UNLV) William S. Boyd School of Law, and in 2019, I received UNLV’s Top Tier Award, an honor bestowed on faculty members who demonstrate excellence in all five areas of UNLV’s Top Tier Mission.
I have also served as Founding Director of the Health Law and Policy Center and Associate Professor of Law at Drake University Law School (2008-2010); Assistant Professor of Law at Hamline University School of Law (2006-2008); Visiting Assistant Professor, Research Professor, and Adjunct Professor at the University of Houston Law Center (2003-2006); and attorney in the Health Industries Group of the Houston office of the international law firm Vinson & Elkins (1997-2003).
During my practice, I have represented physicians, scientists, allied health professionals, general and special hospitals, academic medical centers, organ procurement organizations, blood banks, and nonprofit healthcare organizations in civil, regulatory, operational, and transactional matters. I am an enthusiastic teacher of HIPAA Privacy Law and earned law school-wide teaching awards in 2009, 2012, 2013, 2014, 2016, and 2020, as well as an OU College of Law Institutional Impact Award in 2021.
When did you first get involved with HIPAA compliance?
I attended law school at the University of Houston between 1994 and 1997. In August 1996, right at the start of my third year of law school, President Clinton signed HIPAA into law. HHS published its first proposed privacy rule in November 1999, shortly after I began practicing law. I have focused on HIPAA privacy matters my entire career.
Are you working on any interesting projects?
Yes. My most recent law review article focuses on the lack of HIPAA protections for student treatment records. Given that FERPA (the Family Educational Rights and Privacy Act) also excludes student treatment records from protection, leaving them only to state law, I am arguing that state law is insufficient to protect the sensitive and sometimes stigmatizing information in these records.
What do you think needs to be improved in the HIPAA regulations?
HIPAA needs to improve its protection of student treatment records and reproductive health information, just to name two.
Can you explain the current problem with student treatment records?
The HIPAA Privacy Rule’s use and disclosure requirements (45 C.F.R. 164.502-.514) and individual rights (45 C.F.R. 164.520-.528) only apply to protected health information (PHI). In addition, the HIPAA Security Rule’s administrative, physical, and technical safeguards only apply with respect to electronic PHI (ePHI). Moreover, the HIPAA Breach Notification Rule only applies to unsecured PHI (uPHI).
To be protected by any of the HIPAA Rules, then, there must be PHI. The catch is that the HIPAA Rules exclude “student treatment records” from the definition of PHI. (Student treatment records are defined to include the medical records created and maintained by university-owned student health centers about postsecondary students that are not disclosed for non-treatment purposes.) Moreover, the Family Educational Rights and Privacy Act (FERPA) also excludes student treatment records from the definition of education records. The result is that student treatment records are only protected by state law. Unfortunately, state facility licensing laws, state medical record privacy laws, state data security laws, state breach notification laws, and new state consumer data protection laws provide minimal, if any, protections for student treatment records due to relevant exceptions, including exceptions that apply to HIPAA covered entities, educational institutions, and/or student treatment records.
The result is that many student treatment records are only protected by antiquated privacy provisions set forth in state professional practice acts. However, most state professional practice acts: (1) do not carefully or heavily regulate the use and disclosure of student treatment records; (2) do not provide students with comprehensive rights relating to their health information, including the right to receive a notice of privacy practices, the right to request additional privacy protections, the right to correct inaccurate medical record entries, the right to receive an accounting of disclosures, the right to be notified of privacy and security breaches, or the right to mitigation of harmful effects associated with such breaches; (3) do not require the implementation of administrative, physical, or technical safeguards designed to ensure that confidentiality, integrity, and availability of student health information; and (4) are not aggressively enforced (or enforceable) through stringent civil and criminal penalties, qui tam provisions, or private rights of action.
In a forthcoming article due to be published this year – Privacy for Student-Patients: A Call to Action, Stacey A. Tovino – I propose and justify amendments to the definition of protected health information under HIPAA and the definition of education records under FERPA. If my proposals are implemented by HHS and Congress, respectively, student treatment records will be protected by the HIPAA Rules at all times during their life span.
How do you feel HIPAA is failing to ensure the privacy of reproductive health information?
The HIPAA Privacy Rule currently treats reproductive health information like any other class of health information, including orthopedic information, dermatological information, or neurological information. Stated another way, reproductive health information is not specially protected under the HIPAA Privacy Rule. One idea is to apply heightened, or more stringent, confidentiality protections to reproductive health information. For example, the HIPAA Privacy Rule already provides heightened confidentiality protections to psychotherapy notes. Why not reproductive health information as well?
In particular, the HIPAA Privacy Rule prohibits covered entities from using or disclosing psychotherapy notes without the patient’s prior written authorization for any payment purposes under 45 C.F.R. § 164.506(c)(1) and (3); for treatment purposes under 45 C.F.R. § 164.506(c)(2); for law enforcement purposes under 45 C.F.R. 164.512(f)); and for most judicial and administrative proceedings purposes under 45 C.F.R. 164.512(e). See 45 C.F.R. 164.508(a)(2) (setting forth the only situations in which a covered entity may use or disclose psychotherapy notes without patient authorization). In an article that is forthcoming in the Cardozo Law Review – Confidentiality Over Privacy, Stacey A. Tovino, 44 Cardozo L. Rev. 101 – I show how these special protections could be applied to reproductive health information as well.
Do you have any predictions for the future of HIPAA?
I am looking forward to HHS regulations that will address whether patients injured by privacy violations can serve as qui tam plaintiffs and recover a portion of the settlements or penalties recovered by HHS.