-------- Original Message -------- Subject: Re: [Politech] HIPAA medical regulations Date: Fri, 23 Apr 2004 11:34:15 -0400 From: Robert Gellman <rgellman@private> To: Declan McCullagh <declan@private> References: <40874A88.7060503@private> Declan McCullagh wrote: > [I am not a HIPAA expert, thank goodness. I do not know if Peter or Jim > is correct. But I do know enough about regulation to know that HIPAA > comes with a real price tag. It is reasonable to ask its supporters to > quantify the (ephemeral?) benefits to see if they outweigh the (real) > cost. Otherwise why should it stay on the books? --Declan] I have not been able to weigh in on the HIPAA privacy discussion over the last week. I would like to offer a few thoughts and responses. 1. The HIPAA privacy rule has already been paid for. The authority for the rule was part of an administrative simplification title of the law, and Congress thought that a privacy policy was an essential element of increasing the use of electronic health care transactions. Electronic transactions were supposed to save billions each year. Whether that has been the case (or will be) is another matter, but Congress saw privacy as a prerequisite to those savings. The administrative simplification enterprise was estimated to produce net savings. 2. Cost-benefit analysis is a perfectly fine tool for policy discussions and debate. However, it is notoriously difficult to assess the benefits of values like privacy. That doesn’t mean that there are no benefits. People clearly seem to value privacy in many contexts. People are entitled to demand privacy protections even if the protections don’t meet someone’s standard for cost-benefit analysis. I don’t see politicians lining up to propose a repeal of the health privacy rule. 3. The HIPAA rule did not cost “tens of billions of dollars”. The HHS cost estimate for compliance with the rule was $17.6 billion over ten years. Some anecdotal evidence suggests that the actual costs have been less than the estimates, but I can’t document this. The cost is a tiny fraction of national health care expenditures. Regardless, the health care system in the future would continue spend time and effort on privacy even if the HIPAA rule were to be repealed tomorrow. Record keepers need rules (no matter the source) to govern processing of health records. 4. I don’t know what it means for “privacy” to be increased. The HIPAA rule imposes a set of fair information practices. Individuals receive notice about their rights and (limited) protections for their health information. Health workers are trained in the rules that govern the processing of health information. Individuals have access and correction rights. Procedures and standards govern disclosures. Record keepers are accountable for compliance. Security is mandated. The implementation of these requirements is positive because these are the elements of privacy. You are entitled to use your own metric for privacy, but you have to state it. Privacy cannot be measured on a one-dimensional scale. 5. Having offered these points, I still say that the HIPAA privacy rule makes many poor policy choices, some of which unnecessarily increase cost. I could go on at great length on the rule’s defects. There is no question that the rule allows many unfortunate disclosures of health information. But many disclosures reflect decisions we made collectively to improve public health, law enforcement, control costs, prevent fraud, improve research, and the like. That’s what happens in a democracy when we confront, complex, multidimensional problems. If the rule allows a disclosure that you don’t like, it doesn’t mean that there is “no privacy”. On balance, I find the rule to be worthwhile, although I see it as a close call. 6. Finally, to those who want a “free market” solution, I will be happy to discuss it as soon as you are successful in convincing the American public that we need a free market health care system. Or a free market for insurance, banking, telecommunications, education, or any other major institution of the modern world. In the meantime, I work within the system that we have. Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman + + Privacy and Information Policy Consultant + + 419 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 <rgellman@private> + + + + + + + + + + + + + + + + + + + + + + + + _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2b30 : Tue Apr 27 2004 - 11:00:58 PDT