•  
  •  
 
Emory Law Journal

Abstract

Individuals’ health information is increasingly at risk of data breaches as healthcare providers adopt health information technologies and individuals use digital devices and applications to log their health data. The frequency of data breaches involving health information has escalated year after year, and, as a result, more individuals are seeking recourse in federal court. To proceed in federal court, however, these individuals must have Article III standing, and meeting the injury-in-fact requirement to confer standing has been a difficult hurdle for plaintiffs in data breach cases to overcome. Federal courts have narrowly interpreted what constitutes a concrete harm stemming from data breaches, disregarding the noneconomic harms faced by plaintiffs and focusing almost exclusively on economic harms, such as identity theft and credit card fraud, as sufficient to constitute an injury-in-fact. This narrow interpretation fails to acknowledge the sensitive, immutable nature of individuals’ health information and threatens individuals’ ability to enforce privacy rights.

This Comment argues that federal courts should broaden their interpretation of injury-in-fact in data breach cases involving protected health information. It proposes that federal courts shift their analytical framework for evaluating injury-in-fact by expanding their recognition of intangible harms that result from both the threat of misuse of compromised data and the mere fact that the data has been compromised. Moreover, Congress should amend HIPAA to include a private right of action, and the U.S. Department of Health and Human Services should broaden the definition of entities that must comply with HIPAA regulations. These measures will empower victims of data breaches to seek redress for harms stemming from their exposed health data, enforcing their right to privacy.

Download

Included in

Law Commons

Share

COinS