FC: A mini-debate on U.S. medical privacy rules and effectiveness

[Declan McCullagh <declan () well com>]

Three people contributed to this exchange:
 - Jamie Love, who works for Ralph Nader at the Consumer Project on Technology
 - Peter Swire, formerly chief counselor for privacy at the White House
 - Jim Harper, former Republican Hill staffer and founder of the 
free-market site privacilla.org

This is a response to Peter's note from the weekend:
http://www.politechbot.com/p-01764.html
See a previous exchange in this vein:
http://www.politechbot.com/p-01656.html

-Declan

**********

From: "Jim Harper" <jim.harper () privacilla org>
To: <declan () well com>
Cc: <swire.1 () osu edu>
Subject: Re: U.S. medical privacy regulations may be postponed indefinitely
Date: Sun, 25 Feb 2001 17:41:17 -0500

Declan:

As Peter Swire knows, and as the preamble to the HIPAA medical privacy
regulation reports, "all fifty states today recognize in tort law a common
law or statutory right to privacy."  Odd phrasing aside, this means that
everyone in the United States today can sue anyone who violates their
privacy.

Perhaps Peter's phrasing is off when he says that, without the HIPAA regs,
we would have "a baseline of no privacy protection."  That surely sounds
provocative --- but it's not true.

As to moving forward from some baseline, I recently asked subscribers to the
Privacilla list about the consumer benefits of the HIPAA privacy
regulations.  I would like to extend the question to Peter, and any other
interested Politechnicals:

"Can anyone point out actual harms people are suffering today that they will
no longer suffer once the health care system complies [with the HIPAA
privacy regulations]?"

This is a precisely worded question.  I'm asking about real harms to real
people that will really go away.  I'd be happy to take responses at
hipaa () privacilla org (Subject: HIPAA).

Jim Harper
Privacilla.org

**********

Date: Mon, 26 Feb 2001 12:51:27 -0500
To: "Jim Harper" <jim.harper () privacilla org>, <declan () well com>
From: "Peter P. Swire" <swire.1 () osu edu>
Subject: Re: U.S. medical privacy regulations may be postponed
  indefinitely
In-Reply-To: <003c01c09f7c$11ebc8c0$80a6accf@compaq>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-UIDL: 3837dd15854fede4416b1188196425e3

        HHS was required to do a detailed cost/benefit analysis as part of 
issuing the final rule.  Extensive answers to the questions about risk and 
benefits are in the introduction to the proposed rule and the regulatory 
impact analysis.  I won't repeat all the many points here.

        One major category of "real harm to real people" comes when 
individuals do not feel that they can accurately tell their medical 
provider about confidential information.  One 1999 poll found that already 
one in six Americans said that they had inaccurately reported to a medical 
provider due to concerns about lack of confidentiality.  Without the health 
privacy rules, people are subject to being fired or losing their health 
insurance (or can accurately believe they can be fired or lose insurance) 
if they get a positive HIV test, or seek help from a mental health 
professional, or need help with a substance abuse problem, or get a 
positive test for cancer or any other expensive-to-treat condition.  Not 
getting medical assistance due to a fear of lack of confidentiality 
constitutes "real harm to real people."  Being fired or losing health 
insurance also constitutes "real harm," although it will generally be 
difficult or impossible to prove that an employer or insurer acted because 
of access to the medical information.

        As for the quote about "all fifty states today recognize in tort 
law a common law or statutory right to privacy," the reference is 
overwhelmingly to the four limited torts of privacy that Prosser outlined 
in the 1950s: (1) appropriation of name or likeness (using Michael Jordan's 
picture for an ad without his permission); (2) unreasonable intrusion 
(where cases have usually focused on wiretapping and other unreasonable, 
physical invasions); (3) public disclosure of private facts (limited by 
most common law courts to highly exceptionable circumstances); and (4) 
false light in the public eye (similar to defamation).  My opinion as a law 
professor and someone who worked extensively on medical privacy is that the 
four traditional torts catch only a very small portion of the improper 
disclosures of medical records that would be covered by the HHS rule.

        As for the "baseline of no privacy protection", my point was that 
there are no federal rules for patient confidentiality, unless and until 
the medical privacy rules go into effect.  (In the interest of full 
disclosure, there are a couple of highly specialized federal rules, such as 
substance abuse records held in certain circumstances.  So perhaps I should 
have more cautiously said "for over 99 percent of medical records" there 
are no federal privacy protections).

        Peter

**********

From: "Jim Harper" <jim.harper () privacilla org>
To: <declan () well com>, "Peter P. Swire" <swire.1 () osu edu>
Subject: Re: U.S. medical privacy regulations may be postponed indefinitely
Date: Mon, 26 Feb 2001 14:54:03 -0500
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal

Declan:

One of the most important elements of my big HIPAA question is what harms
people "will no longer suffer once the health care system complies."  Real
harms to real people *that will really go away.*

Like the HIPAA documents, Peter identifies a generalized fear for privacy,
from which --- I agree --- real harms may flow.  (HIPAA also identified
health insurance claim forms blowing off a truck and other mishaps that
can't be prevented by more regulation.)

HIPAA appears to be essentially a gamble that consumer confidence in the
health care system will be created by increasing government intervention
while reducing patient choice and control for: oversight of the health care
system, FDA monitoring, public health surveillance, law enforcement
activities, and so on and so forth.

It's not upsetting to see that bet taken off the table.  It may not be a
good one.

Though I have my guesses, I do not know why consumer education and patient
empowerment were not the responses HHS chose to meet the consumer confidence
deficit.  (Real empowerment through freedom to contract, not through
government-mandated notice-and-consent forms.)  The better approach would
really put patients in control, keep the government out of patients'
records, and let the consumer confidence flow naturally from that.

I admit freely that my opinion of what's better is as bare an assertion as
the idea that government regulation would do the trick.  I'll also assert,
just as nakedly, that consumer education and empowerment would not take $17
*billion* dollars worth of insurance and treatments away from patients, as
the HIPAA regs would.

Jim Harper
Privacilla.org

**********

Date: Sun, 25 Feb 2001 08:08:02 -0500
From: James Love <love () cptech org>
Organization: http://www.cptech.org
To: declan () well com
Cc: politech () politechbot com, "Banisar, Dave" <banisar () epic org>
Subject: Re: FC: U.S. medical privacy regulations may be postponed indefinitely
References: <5.0.2.1.0.20010225004717.0214f1e0 () mail well com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-UIDL: cae0d2b9c4837428175e56284fcd1897


Declan, I think it is pretty amazing and pretty depresssing that in eight 
years, the Clinton Administration could not get these rules in 
place.    Could Peter explain the
low level of productivity on the privacy side?  Lack of interest?  Short 
work weeks?  Short attention spans?  Reluctance to offend IBM and other 
powerful medical records
lobby groups?  Why did it take eight years and to the end of the 
administration to figure out there was a need for something like this?  Did 
Clinton begin to figure this
out during the Starr/Paul Jones investigations, and the discovery into the 
distinctive characteristics of his penis?   Jamie


--
James Love
Consumer Project on Technology
P.O. Box 19367, Washington, DC 20036
http://www.cptech.org
love () cptech org
1.202.387.8030 fax 1.202.234.5176

**********




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------