Home page logo

Politech mailing list archives

FC: U.S. medical privacy regulations may be postponed indefinitely
From: Declan McCullagh <declan () well com>
Date: Sun, 25 Feb 2001 00:47:35 -0500


From: "Peter Swire" <swire.1 () osu edu>
To: <declan () well com>
Subject: Medical privacy rules may be postponed indefinitely
Date: Sun, 25 Feb 2001 12:40:22 -0500


        Here is an item that may be of interest (or concern) to your list. On
Friday, the Bush Administration announced that it will ask for a new round
of comments on the medical privacy rule that was issued in December.  Due to
a regrettable and recently announced mistake by HHS in not sending paperwork
to Congress, the rule does not become "effective" until April 14, with
compliance scheduled for early 2003.  The new announcement states that
comments can be filed until April 14, with the apparent intention of
postponing and rewriting the rule.

This action raises the serious possibility that the medical privacy rules will be postponed indefinitely. Here are some preliminary comments:

        (1) Today there are no federal rules to protect the confidentiality of
medical records.  The rules announced in December, which would expect
compliance in early 2003, would be the first federal rules on the subject,
and would provide a baseline of significant privacy protection for medical
records.  To the extent the new Administration wishes to make changes in the
rule, it has ample opportunity to do so.  Such changes, though, should be
done from a baseline of good privacy protection and not a baseline of no
privacy protection.

        (2) There were over 52,000 comments on the proposed rules issued in 1999.
It took a team of 70 people from over a dozen agencies to respond to the
comments as required by the Administrative Procedure Act and draft the final
rule. The rule took an enormous effort even when it was a priority of the
President, the White House staff, and HHS.  Responding to a new flood of
comments, and determining the new Administration's position on each issue in
the rule, would likely take a very long time and quite possibly would never
be completed.

        (3) A better course of action is to allow the final rule to enter into
effect on April 14.  The new Administration can then consider the new
comments.  It can make changes it believes are lawful and appropriate in
plenty of time for compliance by early 2003.  The choice is between staying
on track to protecting the privacy of Americans' health records or else
derailing those protections indefinitely.

        (4) For cyberspace policy, one should remember that a key reason for the
medical privacy rules was to respond to the computerization of health
records, and the flow of such records through networks as required by the
1996 HIPAA law.  There is consensus that medical records deserve protection,
including statements by President Bush during the campaign that that he
would "guarantee the privacy of medical and sensitive financial records."
Postponing the medical rules indefinitely would go against this campaign
statement.  It would also likely inject the medical privacy issue into the
debate on Internet privacy that is shaping up in Congress.

Prof. Peter P. Swire
Ohio State University College of Law
(Chief Counselor for Privacy, U.S. Office of Management and Budget,
cell: (301) 213-9587
swire.1 () osu edu

POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/

  By Date           By Thread  

Current thread:
  • FC: U.S. medical privacy regulations may be postponed indefinitely Declan McCullagh (Feb 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]