[Politech] Robert Gellman's defense of HIPAA medical regulations [priv]

From: Declan McCullagh (declan@private)
Date: Tue Apr 27 2004 - 09:32:46 PDT

  • Next message: Declan McCullagh: "[Politech] A criticism of Gmail and a call for encryption everywhere [priv]"

    -------- Original Message --------
    Subject: Re: [Politech]  HIPAA medical regulations
    Date: Fri, 23 Apr 2004 11:34:15 -0400
    From: Robert Gellman <rgellman@private>
    To: Declan McCullagh <declan@private>
    References: <40874A88.7060503@private>
    Declan McCullagh wrote:
    > [I am not a HIPAA expert, thank goodness. I do not know if Peter or Jim 
    > is correct. But I do know enough about regulation to know that HIPAA 
    > comes with a real price tag. It is reasonable to ask its supporters to 
    > quantify the (ephemeral?) benefits to see if they outweigh the (real) 
    > cost. Otherwise why should it stay on the books? --Declan]
    I have not been able to weigh in on the HIPAA privacy discussion over
    the last week.  I would like to offer a few thoughts and responses.
    1. The HIPAA privacy rule has already been paid for.  The authority for
    the rule was part of an administrative simplification title of the law,
    and Congress thought that a privacy policy was an essential element of
    increasing the use of electronic health care transactions.  Electronic
    transactions were supposed to save billions each year.  Whether that has
    been the case (or will be) is another matter, but Congress saw privacy
    as a prerequisite to those savings.  The administrative simplification
    enterprise was estimated to produce net savings.
    2. Cost-benefit analysis is a perfectly fine tool for policy discussions
    and debate.  However, it is notoriously difficult to assess the benefits
    of values like privacy.  That doesn’t mean that there are no benefits.
    People clearly seem to value privacy in many contexts.  People are
    entitled to demand privacy protections even if the protections don’t
    meet someone’s standard for cost-benefit analysis.  I don’t see
    politicians lining up to propose a repeal of the health privacy rule.
    3. The HIPAA rule did not cost “tens of billions of dollars”.  The HHS
    cost estimate for compliance with the rule was $17.6 billion over ten
    years.  Some anecdotal evidence suggests that the actual costs have been
    less than the estimates, but I can’t document this.  The cost is a tiny
    fraction of national health care expenditures.  Regardless, the health
    care system in the future would continue spend time and effort on
    privacy even if the HIPAA rule were to be repealed tomorrow.  Record
    keepers need rules (no matter the source) to govern processing of health
    4. I don’t know what it means for “privacy” to be increased.  The HIPAA
    rule imposes a set of fair information practices.  Individuals receive
    notice about their rights and (limited) protections for their health
    information.  Health workers are trained in the rules that govern the
    processing of health information.  Individuals have access and
    correction rights.  Procedures and standards govern disclosures.  Record
    keepers are accountable for compliance.  Security is mandated.  The
    implementation of these requirements is positive because these are the
    elements of privacy.  You are entitled to use your own metric for
    privacy, but you have to state it.  Privacy cannot be measured on a
    one-dimensional scale.
    5. Having offered these points, I still say that the HIPAA privacy rule
    makes many poor policy choices, some of which unnecessarily increase
    cost.  I could go on at great length on the rule’s defects.  There is no
    question that the rule allows many unfortunate disclosures of health
    information.  But many disclosures reflect decisions we made
    collectively to improve public health, law enforcement, control costs,
    prevent fraud, improve research, and the like.  That’s what happens in a
    democracy when we confront, complex, multidimensional problems.  If the
    rule allows a disclosure that you don’t like, it doesn’t mean that there
    is “no privacy”.  On balance, I find the rule to be worthwhile, although
    I see it as a close call.
    6. Finally, to those who want a “free market” solution, I will be happy
    to discuss it as soon as you are successful in convincing the American
    public that we need a free market health care system.  Or a free market
    for insurance, banking, telecommunications, education, or any other
    major institution of the modern world.  In the meantime, I work within
    the system that we have.
    + + + + + + + + + + + + + + + + + + + + + + +
    + Robert Gellman                            +
    + Privacy and Information Policy Consultant +
    + 419 Fifth Street SE			    +
    + Washington, DC 20003			    +
    + 202-543-7923        <rgellman@private> +
    + + + + + + + + + + + + + + + + + + + + + + +
    Politech mailing list
    Archived at http://www.politechbot.com/
    Moderated by Declan McCullagh (http://www.mccullagh.org/)

    This archive was generated by hypermail 2b30 : Tue Apr 27 2004 - 11:00:58 PDT