Home page logo

Politech mailing list archives

FC: A mini-debate on U.S. medical privacy rules and effectiveness
From: Declan McCullagh <declan () well com>
Date: Wed, 28 Feb 2001 08:35:21 -0500

Three people contributed to this exchange:
 - Jamie Love, who works for Ralph Nader at the Consumer Project on Technology
 - Peter Swire, formerly chief counselor for privacy at the White House
- Jim Harper, former Republican Hill staffer and founder of the free-market site privacilla.org

This is a response to Peter's note from the weekend:
See a previous exchange in this vein:



From: "Jim Harper" <jim.harper () privacilla org>
To: <declan () well com>
Cc: <swire.1 () osu edu>
Subject: Re: U.S. medical privacy regulations may be postponed indefinitely
Date: Sun, 25 Feb 2001 17:41:17 -0500


As Peter Swire knows, and as the preamble to the HIPAA medical privacy
regulation reports, "all fifty states today recognize in tort law a common
law or statutory right to privacy."  Odd phrasing aside, this means that
everyone in the United States today can sue anyone who violates their

Perhaps Peter's phrasing is off when he says that, without the HIPAA regs,
we would have "a baseline of no privacy protection."  That surely sounds
provocative --- but it's not true.

As to moving forward from some baseline, I recently asked subscribers to the
Privacilla list about the consumer benefits of the HIPAA privacy
regulations.  I would like to extend the question to Peter, and any other
interested Politechnicals:

"Can anyone point out actual harms people are suffering today that they will
no longer suffer once the health care system complies [with the HIPAA
privacy regulations]?"

This is a precisely worded question.  I'm asking about real harms to real
people that will really go away.  I'd be happy to take responses at
hipaa () privacilla org (Subject: HIPAA).

Jim Harper


Date: Mon, 26 Feb 2001 12:51:27 -0500
To: "Jim Harper" <jim.harper () privacilla org>, <declan () well com>
From: "Peter P. Swire" <swire.1 () osu edu>
Subject: Re: U.S. medical privacy regulations may be postponed
In-Reply-To: <003c01c09f7c$11ebc8c0$80a6accf () compaq>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-UIDL: 3837dd15854fede4416b1188196425e3

HHS was required to do a detailed cost/benefit analysis as part of issuing the final rule. Extensive answers to the questions about risk and benefits are in the introduction to the proposed rule and the regulatory impact analysis. I won't repeat all the many points here.

One major category of "real harm to real people" comes when individuals do not feel that they can accurately tell their medical provider about confidential information. One 1999 poll found that already one in six Americans said that they had inaccurately reported to a medical provider due to concerns about lack of confidentiality. Without the health privacy rules, people are subject to being fired or losing their health insurance (or can accurately believe they can be fired or lose insurance) if they get a positive HIV test, or seek help from a mental health professional, or need help with a substance abuse problem, or get a positive test for cancer or any other expensive-to-treat condition. Not getting medical assistance due to a fear of lack of confidentiality constitutes "real harm to real people." Being fired or losing health insurance also constitutes "real harm," although it will generally be difficult or impossible to prove that an employer or insurer acted because of access to the medical information.

As for the quote about "all fifty states today recognize in tort law a common law or statutory right to privacy," the reference is overwhelmingly to the four limited torts of privacy that Prosser outlined in the 1950s: (1) appropriation of name or likeness (using Michael Jordan's picture for an ad without his permission); (2) unreasonable intrusion (where cases have usually focused on wiretapping and other unreasonable, physical invasions); (3) public disclosure of private facts (limited by most common law courts to highly exceptionable circumstances); and (4) false light in the public eye (similar to defamation). My opinion as a law professor and someone who worked extensively on medical privacy is that the four traditional torts catch only a very small portion of the improper disclosures of medical records that would be covered by the HHS rule.

As for the "baseline of no privacy protection", my point was that there are no federal rules for patient confidentiality, unless and until the medical privacy rules go into effect. (In the interest of full disclosure, there are a couple of highly specialized federal rules, such as substance abuse records held in certain circumstances. So perhaps I should have more cautiously said "for over 99 percent of medical records" there are no federal privacy protections).



From: "Jim Harper" <jim.harper () privacilla org>
To: <declan () well com>, "Peter P. Swire" <swire.1 () osu edu>
Subject: Re: U.S. medical privacy regulations may be postponed indefinitely
Date: Mon, 26 Feb 2001 14:54:03 -0500
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal


One of the most important elements of my big HIPAA question is what harms
people "will no longer suffer once the health care system complies."  Real
harms to real people *that will really go away.*

Like the HIPAA documents, Peter identifies a generalized fear for privacy,
from which --- I agree --- real harms may flow.  (HIPAA also identified
health insurance claim forms blowing off a truck and other mishaps that
can't be prevented by more regulation.)

HIPAA appears to be essentially a gamble that consumer confidence in the
health care system will be created by increasing government intervention
while reducing patient choice and control for: oversight of the health care
system, FDA monitoring, public health surveillance, law enforcement
activities, and so on and so forth.

It's not upsetting to see that bet taken off the table.  It may not be a
good one.

Though I have my guesses, I do not know why consumer education and patient
empowerment were not the responses HHS chose to meet the consumer confidence
deficit.  (Real empowerment through freedom to contract, not through
government-mandated notice-and-consent forms.)  The better approach would
really put patients in control, keep the government out of patients'
records, and let the consumer confidence flow naturally from that.

I admit freely that my opinion of what's better is as bare an assertion as
the idea that government regulation would do the trick.  I'll also assert,
just as nakedly, that consumer education and empowerment would not take $17
*billion* dollars worth of insurance and treatments away from patients, as
the HIPAA regs would.

Jim Harper


Date: Sun, 25 Feb 2001 08:08:02 -0500
From: James Love <love () cptech org>
Organization: http://www.cptech.org
To: declan () well com
Cc: politech () politechbot com, "Banisar, Dave" <banisar () epic org>
Subject: Re: FC: U.S. medical privacy regulations may be postponed indefinitely
References: < () mail well com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-UIDL: cae0d2b9c4837428175e56284fcd1897

Declan, I think it is pretty amazing and pretty depresssing that in eight years, the Clinton Administration could not get these rules in place. Could Peter explain the low level of productivity on the privacy side? Lack of interest? Short work weeks? Short attention spans? Reluctance to offend IBM and other powerful medical records lobby groups? Why did it take eight years and to the end of the administration to figure out there was a need for something like this? Did Clinton begin to figure this out during the Starr/Paul Jones investigations, and the discovery into the distinctive characteristics of his penis? Jamie

James Love
Consumer Project on Technology
P.O. Box 19367, Washington, DC 20036
love () cptech org
1.202.387.8030 fax


POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/

  By Date           By Thread  

Current thread:
  • FC: A mini-debate on U.S. medical privacy rules and effectiveness Declan McCullagh (Feb 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]