[Politech] Peter Swire's "modest" defense of HIPAA medical regulatory law [priv]

From: Declan McCullagh (declan@private)
Date: Tue Apr 20 2004 - 21:32:40 PDT

  • Next message: Declan McCullagh: "[Politech] FTC convenes "spyware" workshop... with scant results"

    -------- Original Message --------
    Subject: A modest case for HIPAA medical privacy [priv]
    Date: Tue, 20 Apr 2004 00:39:30 -0400
    From: Peter Swire <peter@private>
    To: 'Declan McCullagh' <declan@private>
    Hi Declan:
    	You've run the critiques of HIPAA for its anniversary.  Perhaps
    I'll give a few points in support of why it has been good to have
    national medical privacy rules for the first time:
    	(1) On the claim that medical privacy has become "worse," that
    is empirically wrong.  There has been a large investment in systems and
    training to upgrade confidentiality.  Medical providers are much more
    aware of confidentiality and its importance than they were before.
    	(2) On the "law enforcement loophole" making things worse.  The
    prior law was that there was NO federal limit on sharing with law
    enforcement (with the exception of substance abuse records and a few
    others).  HIPAA created new national requirements that make it a HIPAA
    violation to disclose to law enforcement unless the standards are met.
    	The first two points support the point that confidentiality is
    better protected with HIPAA than if the reg had not happened.  The
    original rationale for HIPAA remains: we are in a one-time transition
    from paper to electronic records, and new safeguards have to be
    established to prevent everyone's medical records from being sent
    electronically in settings where privacy makes sense.
    	(3) The effects of 9/11.  When it comes to Jeb Bush pushing for
    new surveillance authority, that is part of a broader pattern of
    "bioterrorism", "biosurveillance", and a general tilt toward more
    intensive use of data for security reasons.  Admiral Poindexter's
    listing of medical records as a source for Total Information Awareness
    is another example.  There thus can be a limited sense in which medical
    privacy is "worse," but that is due to how society has reacted to the
    attacks.  The HIPAA rule reduces the amount that medical records are
    being shared compared to what would have happened in the absence of the
    HIPAA reg.
    	(4) The change in Administration.  Many of your readers will
    know that I worked for the Clinton Administration in drafting the HIPAA
    rule.  That said, we had planned and hoped for a very different
    implementation than the one we have seen: (a) We had planned for much
    greater outreach, consultation, and education in order to make the
    transition to the new rule smoother.  (b) We did not plan to expand the
    marketing loophole the way that HHS decided to do in 2002.  (c) With
    respect to law enforcement, we certainly would not have gone after
    individual women's medical records the way that AG Ashcroft has.  For
    that one, the Justice Department has argued that the patient has no
    "reasonable expectation of privacy" in their medical records.  What kind
    of signal does that send, when the same Department of Justice is
    supposed to enforce the HIPAA rule?
    	It is hard and often frustrating to make changes.  But HIPAA has
    increased the protection of Americans' medical privacy compared to what
    we would have had without the rule.  I've studied the claims of people
    who claim the contrary.  I don't think those claims are colorable.
    Prof. Peter Swire
    Moritz College of Law of the
         Ohio State University
    John Glenn Scholar in Public Policy Research
    Formerly, Chief Counselor for Privacy in the
         U.S. Office of Management & Budget
    (240) 994-4142, www.peterswire.net
    Politech mailing list
    Archived at http://www.politechbot.com/
    Moderated by Declan McCullagh (http://www.mccullagh.org/)

    This archive was generated by hypermail 2b30 : Tue Apr 20 2004 - 22:37:45 PDT