Robert Gellman's defense of HIPAA medical regulations [priv]

[Declan McCullagh <declan () well com>]

-------- Original Message --------
Subject: Re: [Politech]  HIPAA medical regulations
Date: Fri, 23 Apr 2004 11:34:15 -0400
From: Robert Gellman <rgellman () netacc net>
To: Declan McCullagh <declan () well com>
References: <40874A88.7060503 () well com>

Declan McCullagh wrote:
> [I am not a HIPAA expert, thank goodness. I do not know if Peter or Jim 
> is correct. But I do know enough about regulation to know that HIPAA 
> comes with a real price tag. It is reasonable to ask its supporters to 
> quantify the (ephemeral?) benefits to see if they outweigh the (real) 
> cost. Otherwise why should it stay on the books? --Declan]

I have not been able to weigh in on the HIPAA privacy discussion over
the last week.  I would like to offer a few thoughts and responses.

1. The HIPAA privacy rule has already been paid for.  The authority for
the rule was part of an administrative simplification title of the law,
and Congress thought that a privacy policy was an essential element of
increasing the use of electronic health care transactions.  Electronic
transactions were supposed to save billions each year.  Whether that has
been the case (or will be) is another matter, but Congress saw privacy
as a prerequisite to those savings.  The administrative simplification
enterprise was estimated to produce net savings.

2. Cost-benefit analysis is a perfectly fine tool for policy discussions
and debate.  However, it is notoriously difficult to assess the benefits
of values like privacy.  That doesn’t mean that there are no benefits.
People clearly seem to value privacy in many contexts.  People are
entitled to demand privacy protections even if the protections don’t
meet someone’s standard for cost-benefit analysis.  I don’t see
politicians lining up to propose a repeal of the health privacy rule.

3. The HIPAA rule did not cost “tens of billions of dollars”.  The HHS
cost estimate for compliance with the rule was $17.6 billion over ten
years.  Some anecdotal evidence suggests that the actual costs have been
less than the estimates, but I can’t document this.  The cost is a tiny
fraction of national health care expenditures.  Regardless, the health
care system in the future would continue spend time and effort on
privacy even if the HIPAA rule were to be repealed tomorrow.  Record
keepers need rules (no matter the source) to govern processing of health
records.

4. I don’t know what it means for “privacy” to be increased.  The HIPAA
rule imposes a set of fair information practices.  Individuals receive
notice about their rights and (limited) protections for their health
information.  Health workers are trained in the rules that govern the
processing of health information.  Individuals have access and
correction rights.  Procedures and standards govern disclosures.  Record
keepers are accountable for compliance.  Security is mandated.  The
implementation of these requirements is positive because these are the
elements of privacy.  You are entitled to use your own metric for
privacy, but you have to state it.  Privacy cannot be measured on a
one-dimensional scale.

5. Having offered these points, I still say that the HIPAA privacy rule
makes many poor policy choices, some of which unnecessarily increase
cost.  I could go on at great length on the rule’s defects.  There is no
question that the rule allows many unfortunate disclosures of health
information.  But many disclosures reflect decisions we made
collectively to improve public health, law enforcement, control costs,
prevent fraud, improve research, and the like.  That’s what happens in a
democracy when we confront, complex, multidimensional problems.  If the
rule allows a disclosure that you don’t like, it doesn’t mean that there
is “no privacy”.  On balance, I find the rule to be worthwhile, although
I see it as a close call.

6. Finally, to those who want a “free market” solution, I will be happy
to discuss it as soon as you are successful in convincing the American
public that we need a free market health care system.  Or a free market
for insurance, banking, telecommunications, education, or any other
major institution of the modern world.  In the meantime, I work within
the system that we have.

Bob

--
+ + + + + + + + + + + + + + + + + + + + + + +
+ Robert Gellman                            +
+ Privacy and Information Policy Consultant +
+ 419 Fifth Street SE                       +
+ Washington, DC 20003                      +
+ 202-543-7923        <rgellman () netacc net> +
+ + + + + + + + + + + + + + + + + + + + + + +



_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)