Peter Swire's "modest" defense of HIPAA medical regulatory law [priv]

[Declan McCullagh <declan () well com>]

-------- Original Message --------
Subject: A modest case for HIPAA medical privacy [priv]
Date: Tue, 20 Apr 2004 00:39:30 -0400
From: Peter Swire <peter () peterswire net>
To: 'Declan McCullagh' <declan () well com>

Hi Declan:

        You've run the critiques of HIPAA for its anniversary.  Perhaps
I'll give a few points in support of why it has been good to have
national medical privacy rules for the first time:

        (1) On the claim that medical privacy has become "worse," that
is empirically wrong.  There has been a large investment in systems and
training to upgrade confidentiality.  Medical providers are much more
aware of confidentiality and its importance than they were before.

        (2) On the "law enforcement loophole" making things worse.  The
prior law was that there was NO federal limit on sharing with law
enforcement (with the exception of substance abuse records and a few
others).  HIPAA created new national requirements that make it a HIPAA
violation to disclose to law enforcement unless the standards are met.

        The first two points support the point that confidentiality is
better protected with HIPAA than if the reg had not happened.  The
original rationale for HIPAA remains: we are in a one-time transition
from paper to electronic records, and new safeguards have to be
established to prevent everyone's medical records from being sent
electronically in settings where privacy makes sense.

        (3) The effects of 9/11.  When it comes to Jeb Bush pushing for
new surveillance authority, that is part of a broader pattern of
"bioterrorism", "biosurveillance", and a general tilt toward more
intensive use of data for security reasons.  Admiral Poindexter's
listing of medical records as a source for Total Information Awareness
is another example.  There thus can be a limited sense in which medical
privacy is "worse," but that is due to how society has reacted to the
attacks.  The HIPAA rule reduces the amount that medical records are
being shared compared to what would have happened in the absence of the
HIPAA reg.

        (4) The change in Administration.  Many of your readers will
know that I worked for the Clinton Administration in drafting the HIPAA
rule.  That said, we had planned and hoped for a very different
implementation than the one we have seen: (a) We had planned for much
greater outreach, consultation, and education in order to make the
transition to the new rule smoother.  (b) We did not plan to expand the
marketing loophole the way that HHS decided to do in 2002.  (c) With
respect to law enforcement, we certainly would not have gone after
individual women's medical records the way that AG Ashcroft has.  For
that one, the Justice Department has argued that the patient has no
"reasonable expectation of privacy" in their medical records.  What kind
of signal does that send, when the same Department of Justice is
supposed to enforce the HIPAA rule?

        It is hard and often frustrating to make changes.  But HIPAA has
increased the protection of Americans' medical privacy compared to what
we would have had without the rule.  I've studied the claims of people
who claim the contrary.  I don't think those claims are colorable.

        Thanks,

        Peter
        

Prof. Peter Swire
Moritz College of Law of the
    Ohio State University
John Glenn Scholar in Public Policy Research
Formerly, Chief Counselor for Privacy in the
    U.S. Office of Management & Budget
(240) 994-4142, www.peterswire.net
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)