Hungry, hungry HIPAA: when privacy regulations go too far.

• Author: Kapushion, Meredith
• Position: Health Insurance Portability and Accountability Act of 1996

Privacy has many different definitions ranging from informational privacy to civil libertarian ideas of personal autonomy. (1) It is difficult to define as it arises from a complex set of rules and institutions which determine the limitations and availability of information. (2) As we find new ways to harness the massive amounts of available information, our lives may be subject to unwanted scrutiny and real losses stemming from privacy violations. (3) While absolute privacy is unattainable, there are good reasons for pursuing policies which might prevent the erosion of its boundaries--no matter how gray or ill-defined those boundaries may be. (4) In the area of personal health and medical information, the sensitive nature of the information at stake makes such losses all the more perilous and potentially injurious. (5)

Congress, concerned with the specter of privacy violations made possible by advances in technology and the use of electronic data storage, enacted medical privacy regulations with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). (6) HIPAA imposes considerable regulatory burdens on health care organizations in the hope that strict administration and control of information will prevent both real and perceived injuries from unauthorized and unwanted scrutiny of personal health data. (7) These concerns are by no means unfounded, but it remains to be seen whether HIPAA's means of prevention are in fact the best cure.

Part I of this Comment traces a brief overview of the general development and regulatory requirements of HIPAA. Part II critiques HIPAA from a law and economics perspective, examining the economics of privacy, the problematic conditions in the market for health care services, whether HIPAA adequately addresses privacy concerns, and the costs and consequences of HIPAA. Part III suggests several alternatives for privacy advocates. In making policy choices, the costs should be carefully weighed against the benefits, and the outcomes should significantly solve the problems the policy was intended to address. (8) The tradeoffs we accept in return for greater privacy protections should reflect our individual preferences to the greatest extent possible, and the solution put into place should have the flexibility to adjust to changing needs and the appropriate incentives to improve over time. Ultimately, HIPAA fails to meet these criteria, creates a number of new legal and economic problems, and adds regulatory and financial burdens to an already complex and costly health care system.

1. HIPAA's IMPLEMENTATION

   While HIPAA's general policy goal was to protect the continuity of employee health coverage when changing jobs, (9) the primary purpose of the privacy provisions was to address the public's concern over employer access to sensitive employee medical information. (10) Other goals included providing additional safeguards against third party access to "protected health information" ("PHI"), (11) establishing procedures for information access, (12) and giving patients notice and access rights to their medical information. (13)

   The HIPAA legislation gave Congress a self-imposed deadline of three years to enact legislation protecting the privacy of health information. (14) Congress required the privacy regulations to address three specific areas:

   1) The rights that an individual who is a subject of individually identifiable health information should have.

   2) The procedures that should be established for the exercise of such rights.

   3) The uses and disclosures of such information that should be authorized or required. (15)

   In lieu of Congress meeting the deadline, the Secretary of Health and Human Services ("HHS") was authorized to enact such regulations. (16) Congress failed to act before the HIPAA deadline in 1999. The HHS Secretary then undertook the task, issuing final regulations in April of 2001, which went into effect on April 14, 2003. (17) Small group health plans (under $5 million) were given an additional year to meet the requirements with April 16, 2004 as the final deadline for compliance. (18) The HHS rules regulate only covered entities-health care providers, insurers, health plans, and clearing houses which handle individually identifiable patient information and transmit that information electronically. (19) The privacy provisions, however, cover all information regardless of format. (20) Electronic transmission is relevant only to determine whether an organization is a covered entity; (21) covered entities are liable for all unauthorized disclosures of an individual's PHI, whether handled electronically or not. (22)

   The HIPAA provisions outline a number of penalties for noncompliance and wrongful disclosure of PHI. Disclosure penalties range from fines of $100 to $50,000 per violation. (23) Criminal penalties for violations with proven intent can include fines up to $250,000 and ten years imprisonment. (24)

   Citing the need for reform and improving consumer confidence in the integrity of medical records, the regulations set forth uniform national standards for patient privacy protection. The evidence of privacy abuse, however, was largely anecdotal in nature, and many of the examples given were already in breach of law or contract and could not have been remedied, regardless of the policy in place. (25) Despite this, Congress took steps to deter potential future violations, and HIPAA marked the first time such a baseline national privacy standard had been promulgated. (26) The rules preempt state laws only to the extent that they are less prohibitive, (27) and do not replace them. (28) HIPAA intentionally creates a floor, but not a ceiling, on privacy protections in an attempt to provide consistent restrictions on the disclosure of PHI.

2. INTENT, EFFICIENCY, AND UNINTENDED CONSEQUENCES

   1. The Economics of Privacy

      It is difficult to treat privacy as a typical economic good. To fit the definition of an economic good, the quantity of privacy demanded must exceed the quantity supplied at a price of zero. (29) Simply put, if privacy were free, we would all want more. But what does this mean in the everyday world? There is no "market" for privacy per se, (30) and as a bundle of rules and institutions that limit the transferability of information, it is hard to think of privacy as a "good" the way that one thinks of apples, BMWs, or financial services as goods. Privacy is distinguished from the tangible goods which may complement it--window shades, caller I.D., trench coats, and fedoras--and from the substantive information it governs. The "bundle" is intangible, nontransferable, and possesses few, if any, of the characteristics we would traditionally ascribe to property. (31)

      Despite fitting the model loosely, privacy is nonetheless an economic good. (32) It is scarce, that is, we generally don't want to relinquish control over personal information unless we get something in return, and likewise, we would be willing to pay for more privacy up to the point where the marginal benefits equal the marginal costs. (33) As inapposite as it may initially seem, the metaphor of the market applies and it is instructive to think of privacy within the framework of supply and demand. The demand for privacy is driven by the competing consumption interests of market participants who would prefer other rules and institutions to govern the flow of information. Supply is similarly determined by the costs of ensuring more privacy. (34) In this context, market participants who value relaxed privacy protections will compete against those who favor more stringent policies.

      As a brief aside, it is relevant to note that the current tone of the privacy debate leaves little wiggle room for those with competing demand interests. Fred Cate notes that

      [i]t is frankly difficult to find the 'other' side of the privacy debate in large part because the benefits that result from open information flows (and may be placed at risk when privacy protections interfere with those flows) are so integral a part of our lives that they are seldom explicitly recognized or fully understood. (35) To avoid demonizing those who are "anti-privacy," (36) it is useful to think of some of the positive effects of relaxed privacy standards from a broader social policy standpoint. For instance, fewer restrictions on information allow insurance markets to operate efficiently, reduce transaction costs among privacy providers, facilitate education and research, and lower overall costs for consumers. (37) These and other advantages benefit society in the aggregate and should not be easily discounted. The effect of any given privacy policy is to create a tradeoff between these benefits and those gained from limiting access to information. (38) Where the balance falls will depend on how we value these tradeoffs. (39) The important thing is that we are informed as we make these decisions and consider that an increase in the amount of privacy may be more harmful than beneficial after a certain point. (40)

      Privacy also presents another problem. While there may be a variety of options to choose from in buying any given privacy policy, the value of that policy is obscured until future valuations are revealed. Unlike most goods, the value of privacy is difficult to gage because damages from disclosure may be entirely unknown at the time the policy is agreed upon or "purchased," as is the likelihood of that disclosure occurring. (41) Most consumers do not know what their future medical condition will be at the time they subscribe to a medical plan. They are essentially buying a "black box" based on risk preferences and speculation about future conditions based on limited present information. The acceptable risk of PHI disclosure is entirely unresolved until the substance of the PHI is known. (42) Thus, the ultimate value of privacy is not revealed until long after a policy is in place.

      Despite this drawback...