Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)



First Advisor

J. Beth Mabry

Second Advisor

Valerie Gunter

Third Advisor

Melissa Swauger


This study explores the policy shift from voluntary to punitive enforcement of privacy violations of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 by the U.S. Department of Health and Human Services’ Office of Civil Rights. Specifically, I examined why policymakers altered the enforcement of HIPAA and how different stakeholders influenced policy change. I apply the multiple-streams framework, social movements and countervailing powers, and bounded rationality to this question. The qualitative inquiry involved purposively sampling documents of various types, two levels of coding, and thematic analysis.

I found policymakers modified the enforcement of the HIPAA privacy regulation, despite the opposition of industry, because consumer/privacy advocacy groups worked together and were prepared for a window of opportunity for policy change. Such a window opened in 2008 amid the confluence of a transition in Presidential administrations, Democrats taking a majority in both houses of Congress, and widely supported legislation at the height of the Great Recession, the American Recovery and Reinvestment Act (ARRA), to which to attach the policy change, HITECH.

Stakeholders promoted their policy positions differently. Industry groups wrote letters to policymakers while privacy advocates and governmental officials used the media to disseminate views. Stakeholder group representatives provided congressional testimony and some accepted or left government positions. Consumer/privacy groups worked together, and government stakeholders indicated they would collaborate with other government and consumer/privacy groups. Industry and professional groups made unsuccessful attempts to influence the policy shift through suggestions in public comment letters. Stakeholder groups opposed to a change in policy enforcement argued that fines are unnecessary and ineffective. Proponents of the policy enforcement shift, consumer/privacy and government groups, consistently pointed to the lack of fines as a reason why the shift was needed.

The findings of this study suggested that the absence of meaningful consequences for privacy violations made for ineffective policy. Industry groups recommended increased transparency from the government enforcement agency. Privacy groups opposed voluntary compliance, arguing it lacked a persuasive element. These findings parallel the policy literature and my professional observations. Stakeholders’ preparation to capitalize on an open policy window parallels Kingdon’s (2011) multiple-streams framework.