![[Politech logo]](http://www.politechbot.com/image/logo.gif){kind=logo}
Politech is the oldest Internet resource devoted to politics and technology. Launched in 1994 by Declan McCullagh, the mailing list has chronicled the growing intersection of culture, technology, politics, and law. Since 2000, so has the Politech web site.
Three people contributed to this exchange: - Jamie Love, who works for Ralph Nader at the Consumer Project on Technology - Peter Swire, formerly chief counselor for privacy at the White House - Jim Harper, former Republican Hill staffer and founder of the free-market site privacilla.org This is a response to Peter's note from the weekend: http://www.politechbot.com/p-01764.html See a previous exchange in this vein: http://www.politechbot.com/p-01656.html -Declan ********** From: "Jim Harper" <jim.harper@privacilla.org> To: <declan@well.com> Cc: <swire.1@osu.edu> Subject: Re: U.S. medical privacy regulations may be postponed indefinitely Date: Sun, 25 Feb 2001 17:41:17 -0500 Declan: As Peter Swire knows, and as the preamble to the HIPAA medical privacy regulation reports, "all fifty states today recognize in tort law a common law or statutory right to privacy." Odd phrasing aside, this means that everyone in the United States today can sue anyone who violates their privacy. Perhaps Peter's phrasing is off when he says that, without the HIPAA regs, we would have "a baseline of no privacy protection." That surely sounds provocative --- but it's not true. As to moving forward from some baseline, I recently asked subscribers to the Privacilla list about the consumer benefits of the HIPAA privacy regulations. I would like to extend the question to Peter, and any other interested Politechnicals: "Can anyone point out actual harms people are suffering today that they will no longer suffer once the health care system complies [with the HIPAA privacy regulations]?" This is a precisely worded question. I'm asking about real harms to real people that will really go away. I'd be happy to take responses at hipaa@privacilla.org (Subject: HIPAA). Jim Harper Privacilla.org ********** Date: Mon, 26 Feb 2001 12:51:27 -0500 To: "Jim Harper" <jim.harper@privacilla.org>, <declan@well.com> From: "Peter P. Swire" <swire.1@osu.edu> Subject: Re: U.S. medical privacy regulations may be postponed indefinitely In-Reply-To: <003c01c09f7c$11ebc8c0$80a6accf@compaq> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-UIDL: 3837dd15854fede4416b1188196425e3 HHS was required to do a detailed cost/benefit analysis as part of issuing the final rule. Extensive answers to the questions about risk and benefits are in the introduction to the proposed rule and the regulatory impact analysis. I won't repeat all the many points here. One major category of "real harm to real people" comes when individuals do not feel that they can accurately tell their medical provider about confidential information. One 1999 poll found that already one in six Americans said that they had inaccurately reported to a medical provider due to concerns about lack of confidentiality. Without the health privacy rules, people are subject to being fired or losing their health insurance (or can accurately believe they can be fired or lose insurance) if they get a positive HIV test, or seek help from a mental health professional, or need help with a substance abuse problem, or get a positive test for cancer or any other expensive-to-treat condition. Not getting medical assistance due to a fear of lack of confidentiality constitutes "real harm to real people." Being fired or losing health insurance also constitutes "real harm," although it will generally be difficult or impossible to prove that an employer or insurer acted because of access to the medical information. As for the quote about "all fifty states today recognize in tort law a common law or statutory right to privacy," the reference is overwhelmingly to the four limited torts of privacy that Prosser outlined in the 1950s: (1) appropriation of name or likeness (using Michael Jordan's picture for an ad without his permission); (2) unreasonable intrusion (where cases have usually focused on wiretapping and other unreasonable, physical invasions); (3) public disclosure of private facts (limited by most common law courts to highly exceptionable circumstances); and (4) false light in the public eye (similar to defamation). My opinion as a law professor and someone who worked extensively on medical privacy is that the four traditional torts catch only a very small portion of the improper disclosures of medical records that would be covered by the HHS rule. As for the "baseline of no privacy protection", my point was that there are no federal rules for patient confidentiality, unless and until the medical privacy rules go into effect. (In the interest of full disclosure, there are a couple of highly specialized federal rules, such as substance abuse records held in certain circumstances. So perhaps I should have more cautiously said "for over 99 percent of medical records" there are no federal privacy protections). Peter ********** From: "Jim Harper" <jim.harper@privacilla.org> To: <declan@well.com>, "Peter P. Swire" <swire.1@osu.edu> Subject: Re: U.S. medical privacy regulations may be postponed indefinitely Date: Mon, 26 Feb 2001 14:54:03 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Declan: One of the most important elements of my big HIPAA question is what harms people "will no longer suffer once the health care system complies." Real harms to real people *that will really go away.* Like the HIPAA documents, Peter identifies a generalized fear for privacy, from which --- I agree --- real harms may flow. (HIPAA also identified health insurance claim forms blowing off a truck and other mishaps that can't be prevented by more regulation.) HIPAA appears to be essentially a gamble that consumer confidence in the health care system will be created by increasing government intervention while reducing patient choice and control for: oversight of the health care system, FDA monitoring, public health surveillance, law enforcement activities, and so on and so forth. It's not upsetting to see that bet taken off the table. It may not be a good one. Though I have my guesses, I do not know why consumer education and patient empowerment were not the responses HHS chose to meet the consumer confidence deficit. (Real empowerment through freedom to contract, not through government-mandated notice-and-consent forms.) The better approach would really put patients in control, keep the government out of patients' records, and let the consumer confidence flow naturally from that. I admit freely that my opinion of what's better is as bare an assertion as the idea that government regulation would do the trick. I'll also assert, just as nakedly, that consumer education and empowerment would not take $17 *billion* dollars worth of insurance and treatments away from patients, as the HIPAA regs would. Jim Harper Privacilla.org ********** Date: Sun, 25 Feb 2001 08:08:02 -0500 From: James Love <love@cptech.org> Organization: http://www.cptech.org To: declan@well.com Cc: politech@politechbot.com, "Banisar, Dave" <banisar@epic.org> Subject: Re: FC: U.S. medical privacy regulations may be postponed indefinitely References: <5.0.2.1.0.20010225004717.0214f1e0@mail.well.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-UIDL: cae0d2b9c4837428175e56284fcd1897 Declan, I think it is pretty amazing and pretty depresssing that in eight years, the Clinton Administration could not get these rules in place. Could Peter explain the low level of productivity on the privacy side? Lack of interest? Short work weeks? Short attention spans? Reluctance to offend IBM and other powerful medical records lobby groups? Why did it take eight years and to the end of the administration to figure out there was a need for something like this? Did Clinton begin to figure this out during the Starr/Paul Jones investigations, and the discovery into the distinctive characteristics of his penis? Jamie -- James Love Consumer Project on Technology P.O. Box 19367, Washington, DC 20036 http://www.cptech.org love@cptech.org 1.202.387.8030 fax 1.202.234.5176 ********** ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------