HIPAA on privacy: its unintended and intended consequences.

• Author: Epstein, Richard A.

The single most conspicuous growth industry in Washington, D.C., is regulation and the administrative structure it spawns. The number of programs in Washington that start big is relatively small. The dominant strategy in all cases is to identify some failure in the private sector and then to propose some well-tailored government program to combat it. At the stage of inception, everyone is sensitive to the risks of overreaching through regulation. But the mood shifts on implementation of the program.

The key question is what attitude is brought to the two kinds of error that must be confronted by any system of social control: too much or too little. Within this new context, the risks of underinclusion are always high on the agenda. The risks of overinclusion tend to be neglected.

To give but one example, the 1964 Civil Rights Act was sold as a statute that was intended to remove a particular form of irrationality in the marketplace by refusing to allow employers to make invidious distinctions on grounds of race, sex, and national origin. At the time everyone disclaimed any effort to impose prohibitions when employers did not resort to conscious differences in treatment. No one thought that employers could be held responsible for the background conditions in society at large that contributed to differential levels of preparation of, for example, black and white applicants. (1) But we all know the story as to how the initial program grew rapidly by a combination of administrative regulation and judicial decisions. The same story could be told over and over again, for example, with the growth in Social Security and Medicare.

The Health Insurance Portability and Accountability Act is obviously of more recent vintage, but it shows the same precocious capacity for growth so evidently present in earlier forms of federal regulation (Scott 2000). The language of the statute suggests that its primary concern was with "portability," namely the ability of individuals with preexisting conditions to keep their insurance coverage when they went from one job to another. But the real sleeper in HIPAA is found in its provisions on privacy, where the regulations, adopted in the face of a congressional impasse, have just taken off. In order to see how the process works, I propose to examine HIPAA in two ways. The first part is narrower in its orientation, and looks at what I believe to be the important conflict between the concern for privacy on the one hand, and the ability of medical scientists, physicians, and institutions to continue on with their traditional research activities. The second part will be more global, and will examine the larger intellectual framework on privacy that, in my view, fuels this latest misguided round of regulatory expansion. The third part of this paper then concludes with a discussion of the public choice explanation that drives these changes.

HIPAA and Medical Research

In order to understand the impact of HIPAA on medical research, it is important to establish a baseline for comparison, which allows us to assess the differences between the pre- and the post-HIPAA world. The former world should not be treated as though it were the state of nature, in which no one knew about privacy or cared about the consequences that might flow from the inopportune release of information. Quite the opposite, the tradeoffs between the control of information and the need for its dissemination into different arenas did not first surface in 1995 or 1996. Rather, it has long been at the center of the discussion for research protocols used by physicians, hospitals, and research centers. The protection of medical records was always a big deal, one that was subject to regulation as well as contract (Moses 2000: 519-20), including the Freedom of Information Act and Medicare rules. (2)

The questions that were raised in response to this challenge were in my view the right questions: how much do we value privacy, how much will it cost to protect it, and what tradeoffs do we have to make with respect to other institutions?

In the abstract these questions are always hard to answer. Each person standing in isolation is a devoted champion of both privacy and full disclosure. He wants information about him to be kept private so as to increase his ability to project a favorable image and to shape his dealings with other individuals. He also wants to collect all information about others so that he can deal with them from a position of knowledge and strength. Clearly one person is able to attain both these objectives only so long as other individuals fail on both counts.

But once the question becomes a social question, one in which we recognize the like rights of other persons, then all of us have to recognize that none of us shall prevail entirely on either of these legitimate desires. Like it or not, we have, as it were, to make our judgments from behind the Rawlsian veil of ignorance to decide when to opt for disclosure and when to opt for privacy. At this point, we all face a serious tradeoff that requires for its solution the local knowledge that Hayek pointed out was indispensable for the day-to-day operation of any complex set of social institutions. The solutions that evolved over time were decentralized and spontaneous. They were certainly a bit mushy about the edges, and they tended to evolve with changes in technology, which have generally increased the ability to reproduce and transmit information at rapid rates to large numbers of individuals.

In the pre-HIPAA arena, various tradeoffs were made on the borderline between privacy and medical research. The constellation of practices was to a great degree a matter of shared expectations and conventions. Most people, when they went in for medical treatment, knew that they did not suffer from a rare disease or have some dangerous condition. For them, the connection between their own well-being and medical research was not the dominant issue.

By the same token, most people do not matter in the arcane world of medical research. The profile of casual indifference that captures most routine physician/patient interactions most decidedly does not apply to people with chronic conditions or to people faced with life-threatening illnesses or major disabilities. At this point, the quest for knowledge becomes intensive. Many a person has kept himself alive by learning enough about his basic condition to aid and facilitate his treatment, or done the same for his loved ones, as well as others with similar conditions.

The proof here is in the pudding. Much of the money raised for medical research comes from individuals who have suffered from major conditions or who have family members so afflicted. Two recent examples that come to mind are Michael Milken and Andy Grove, both of whom devoted major resources to research into new treatment of prostate cancer. These cases have been replicated countless times on a smaller scale. People who know the ravages of certain illnesses firsthand are often willing to do a great deal, and to pay a great deal, to eradicate them.

Expenditures for medical research do not come cheap. But what of ordinary individuals who cannot afford to fund it? To see how they might participate, ask yourself this question: If someone were to ask you to participate in a study that might help cure or alleviate the effects of a particular disease from which you suffered, would you participate in the program, stand aloof from it, or oppose its operation on the ground (of course) that it invades your right of privacy? My sense is that most people would opt for the first alternative out of the usual set of mixed motives. Participation in these studies often secures access to better physicians. It may allow patients to network with others who have similar conditions and, in some cases, may reduce the cost of service. It may also increase the prospects for treatment and cure. It is very unlikely that people would oppose the creation of knowledge when it works both for their own interest and the interests of others. The more serious the condition, the more likely the participation.

It takes, I believe, little empirical imagination to conclude that this scenario has been undertaken thousands of times. Each time, moreover, it carries with it some definable risk to privacy. But these are risks that are worth bearing for the gains that they promise.

The question then arises as to what incremental steps ought to be taken to minimize the risks. Once again there are strong guidelines but no safe harbors. One possibility is that all clinical data must be used and recorded anonymously. After all, what the research program needs is not autobiographical information but workable patient populations sorted by age, sex, disease condition, occupation, and the like. It is also clear that when these data are reported publicly, numerical identifiers replace individual names. All readers know is that number 356 in table one is the same person as number 356 in table two. The names are suppressed

However, there are difficulties with extending this approach to the collection and storage of data. One question is how much information should be stored in connection with any given case. Here it is difficult to identify in advance any test of relevance that determines what information should be stored and what disregarded. In dealing with diseases and chronic conditions, it is important to know where people were born, when they were born, how many siblings they had, who their parents were, what was their race and religion, and so on down the line. One or another of these attributes could contain important information about the nature of the condition or its probable severity and the like. All of this material is obviously relevant for the study and classification of genetic diseases. Rich files are therefore the order of the day to keep in archival form material that may someday have to be...