• Dean M. Harris University of North Carolina at Chapel Hill, United States of America
Keywords: privacy; medical privacy; HIPAA privacy rule; COVID-19; US law.


This article addresses the privacy of medical and health data in the US. It analyzes the scope and requirements of federal and state laws in the US, and it discusses the weaknesses in the US protection of medical privacy. Then, this article explains how the weak US system of privacy protection was unable to handle many important privacy issues in the COVID-19 pandemic. Finally, the article concludes with some recommendations for action.


Satariano, A, E.U. Court Strikes Down Trans-Atlantic Data Transfer Pact, New York Times, (July 16, 2020). URL: transfer-pact-rejected.html

Schrems and Facebook Ireland v Data Protection Commissioner, (2020) CJEU Case C-311/18, Paragraph 185. URL: docid=228677

Speech by Federal Chancellor Angela Merkel at the 49th World Economic Forum Annual Meeting in Davos on 23 January 2019. URL: breg-en/news/speech-by-federal-chancellor-angela-merkel-at-the-49th-world-economic- forum-annual-meeting-in-davos-on-23-january-2019-1574188

Harris, D, Contemporary Issues in Healthcare Law & Ethics (4th edition), (Chicago, Health Administration Press, 2014).

551 P.2d 334 (Cal. 1976).

National Conference of State Legislatures, Mental Health Professionals’ Duty to Warn (October 12, 2018). URL: professionals-duty-to-warn.aspx

Public Law No. 104–191 (1996).

Public Law No. 111–5, 13401, 13404 (2009).

Terry, N, Health Privacy Is Difficult but Not Impossible in a Post-HIPAA Data- Driven World, CHEST, (2014), 146(3): 835–840.

Terry, N, Big Data Proxies and Health Privacy Exceptionalism, Health Matrix, (2014), 24(1): 65–108.

Ross, C, After 9/11, we gave up privacy for security. Will we make the same trade- off after Covid-19? STAT, (April 8, 2020). URL: coronavirus-will-we-give-up-privacy-for-security/

45 CFR 164.512(b)(1)(i).

HIPAA and COVID-19. URL: topics/hipaa-covid19/index.html

COVID-19 and HIPAA: Disclosuresto law enforcement, paramedics, other first responders and public health authorities. URL: covid-19-hipaa-and-first-responders-508.pdf

85 Federal Register 19392-93 (April 7, 2020).

85 Federal Register 22024-05 (April 21, 2020).

McCoy, M et al, Prevalence of Third-Party Tracking on COVID-19 – Related Web Pages, JAMA, (October 13, 2020), 324(14):1462–1464.

McCoy, M, T Libert, & A Friedman, Online privacy loss: another Covid-19 aftershock, STAT, (September 30, 2020). URL: online-privacy-loss-another-covid-19-aftershock/

New York Times Editorial Board, Privacy Cannot Be a Casualty of the Coronavirus, New York Times, (April 7, 2020), privacy-coronavirus.html

Singer, N, and SH Choe, As Coronavirus Surveillance Escalates, Personal Privacy Plummets, New York Times, (April 17, 2020). URL: technology/coronavirus-surveillance-tracking-privacy.html

De la Garza, A, Contact Tracing Apps Were Big Tech’s Best Idea for Fighting COVID-19. Why Haven’t They Helped? TIME (November 10, 2020). URL: https://time. com/5905772/covid-19-contact-tracing-apps/

Does a HIPAA covered entity that fulfills an individual’s request to transmit electronic protected health information (ePHI) to an application or other software (collectively “app”) bear liability under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) for the app’s use or disclosure of the health information it received? URL: liability.html

45 CFR 160.103.

Fuller, T, How Much Should the Public Know About Who Has the Coronavirus? New York Times, (March 30, 2020). URL: data-privacy.html

Tahir, D, and M Ravindranath, How the coronavirus is upending medical privacy, POLITICO, (April 28, 2020). URL: medical-privacy-217671

Oppel, R, et al, The Fullest Look Yet at the Racial Inequity of Coronavirus, New York Times, (July 5, 2020). URL: coronavirus-latinos-african-americans-cdc-data.html

Public Law No. 104-191, Title II, Subtitle F, 264 (c)(1) (1996).

Litman-Navarro, K, We Read 150 Privacy Policies. They Were an Incomprehensible Disaster, New York Times, (June 12, 2019). URL: interactive/2019/06/12/opinion/facebook-google-privacy-policies.html

Singer, N, What Does California’s New Data Privacy Law Mean? Nobody Agrees, New York Times, (December 29, 2019). URL: technology/california-privacy-law.html

Hecht-Felella, L, and K Mueller-Hsia, Rating the Privacy Protections of State Covid-19 Tracking Apps, BRENNAN CENTER FOR JUSTICE, (November 5, 2020). URL: covid-19-tracking-apps

Turow, J, Let’s Retire the Phrase ‘Privacy Policy’ New York Times, (August 20, 2018). URL:

Author Biography

Dean M. Harris, University of North Carolina at Chapel Hill, United States of America

Associate Professor, Department of Health Policy and Management, Gillings School of Global Public Health, University of North Carolina at Chapel Hill, United States of America; Bachelor of Arts degree from Cornell University in 1973; Juris Doctor degree from UNC School
of Law in 1981; Member of the American Health Law Association; Member of the European Association of Health Law

How to Cite
Harris, D. M. (2021). THE LAW OF MEDICAL PRIVACY IN THE USA: NOT GOOD ENOUGH FOR COVID-19. Medicne Pravo, (1(27), 28-40.