Hungry, hungry HIPAA: when privacy regulations go too far.Privacy has many different definitions ranging from informational privacy to civil libertarian civil libertarian
One who is actively concerned with the protection of the fundamental rights guaranteed to the individual by law: "Civil libertarians tend to assume such tests must be an illegal invasion of privacy" ideas of personal autonomy. (1) It is difficult to define as it arises from a complex set of rules and institutions which determine the limitations and availability of information. (2) As we find new ways to harness the massive amounts of available information, our lives may be subject to unwanted scrutiny and real losses stemming from privacy violations. (3) While absolute privacy is unattainable, there are good reasons for pursuing policies which might prevent the erosion of its boundaries--no matter how gray or ill-defined those boundaries may be. (4) In the area of personal health and medical information, the sensitive nature of the information at stake makes such losses all the more perilous and potentially injurious in·ju·ri·ous
1. Causing or tending to cause injury; harmful: eating habits that are injurious to one's health.
2. . (5)
Congress, concerned with the specter of privacy violations made possible by advances in technology and the use of electronic data storage, enacted medical privacy regulations with the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996.
According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when of 1996 ("HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, "). (6) HIPAA imposes considerable regulatory burdens on health care organizations in the hope that strict administration and control of information will prevent both real and perceived injuries from unauthorized and unwanted scrutiny of personal health data. (7) These concerns are by no means unfounded, but it remains to be seen whether HIPAA's means of prevention are in fact the best cure.
Part I of this Comment traces a brief overview of the general development and regulatory requirements of HIPAA. Part II critiques HIPAA from a law and economics perspective, examining the economics of privacy, the problematic conditions in the market for health care services, whether HIPAA adequately addresses privacy concerns, and the costs and consequences of HIPAA. Part III suggests several alternatives for privacy advocates. In making policy choices, the costs should be carefully weighed against the benefits, and the outcomes should significantly solve the problems the policy was intended to address. (8) The tradeoffs we accept in return for greater privacy protections should reflect our individual preferences to the greatest extent possible, and the solution put into place should have the flexibility to adjust to changing needs and the appropriate incentives to improve over time. Ultimately, HIPAA fails to meet these criteria, creates a number of new legal and economic problems, and adds regulatory and financial burdens to an already complex and costly health care system.
I. HIPAA's IMPLEMENTATION
While HIPAA's general policy goal was to protect the continuity of employee health coverage when changing jobs, (9) the primary purpose of the privacy provisions was to address the public's concern over employer access to sensitive employee medical information. (10) Other goals included providing additional safeguards against third party access to "protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the " ("PHI phi
Symbol The 21st letter of the Greek alphabet.
n See health information, protected. "), (11) establishing procedures for information access, (12) and giving patients notice and access rights to their medical information. (13)
The HIPAA legislation gave Congress a self-imposed deadline of three years to enact legislation protecting the privacy of health information. (14) Congress required the privacy regulations to address three specific areas:
1) The rights that an individual who is a subject of individually identifiable health information should have.
2) The procedures that should be established for the exercise of such rights.
3) The uses and disclosures of such information that should be authorized or required. (15)
In lieu of Congress meeting the deadline, the Secretary of Health and Human Services Noun 1. Secretary of Health and Human Services - the person who holds the secretaryship of the Department of Health and Human Services; "the first Secretary of Health and Human Services was Patricia Roberts Harris who was appointed by Carter" ("HHS HHS Department of Health and Human Services. ") was authorized to enact such regulations. (16) Congress failed to act before the HIPAA deadline in 1999. The HHS Secretary then undertook the task, issuing final regulations in April of 2001, which went into effect on April 14, 2003. (17) Small group health plans (under $5 million) were given an additional year to meet the requirements with April 16, 2004 as the final deadline for compliance. (18) The HHS rules regulate only covered entities-health care providers, insurers, health plans, and clearing houses which handle individually identifiable patient information and transmit that information electronically. (19) The privacy provisions, however, cover all information regardless of format. (20) Electronic transmission is relevant only to determine whether an organization is a covered entity; (21) covered entities are liable for all unauthorized disclosures of an individual's PHI, whether handled electronically or not. (22)
The HIPAA provisions outline a number of penalties for noncompliance noncompliance
failure of the owner to follow instructions, particularly in administering medication as prescribed; a cause of a less than expected response to treatment.
noncompliance and wrongful disclosure of PHI. Disclosure penalties range from fines of $100 to $50,000 per violation. (23) Criminal penalties for violations with proven intent can include fines up to $250,000 and ten years imprisonment Imprisonment
See also Isolation.
former federal maximum security penitentiary, near San Francisco; “escapeproof.” [Am. Hist.: Flexner, 218]
German prison ship in World War II. [Br. Hist. . (24)
Citing the need for reform and improving consumer confidence in the integrity of medical records, the regulations set forth uniform national standards for patient privacy protection. The evidence of privacy abuse, however, was largely anecdotal in nature, and many of the examples given were already in breach of law or contract and could not have been remedied, regardless of the policy in place. (25) Despite this, Congress took steps to deter potential future violations, and HIPAA marked the first time such a baseline national privacy standard had been promulgated prom·ul·gate
tr.v. prom·ul·gat·ed, prom·ul·gat·ing, prom·ul·gates
1. To make known (a decree, for example) by public declaration; announce officially. See Synonyms at announce.
2. . (26) The rules preempt pre·empt or pre-empt
v. pre·empt·ed, pre·empt·ing, pre·empts
1. To appropriate, seize, or take for oneself before others. See Synonyms at appropriate.
a. state laws only to the extent that they are less prohibitive, (27) and do not replace them. (28) HIPAA intentionally creates a floor, but not a ceiling, on privacy protections in an attempt to provide consistent restrictions on the disclosure of PHI.
II. INTENT, EFFICIENCY, AND UNINTENDED CONSEQUENCES For the "Law of unintended consequences", see Unintended consequence
Unintended Consequences is a novel by author John Ross, first published in 1996 by Accurate Press.
A. The Economics of Privacy
It is difficult to treat privacy as a typical economic good. To fit the definition of an economic good, the quantity of privacy demanded must exceed the quantity supplied at a price of zero. (29) Simply put, if privacy were free, we would all want more. But what does this mean in the everyday world? There is no "market" for privacy per se, (30) and as a bundle of rules and institutions that limit the transferability of information, it is hard to think of privacy as a "good" the way that one thinks of apples, BMWs, or financial services The examples and perspective in this article or section may not represent a worldwide view of the subject.
Please [ improve this article] or discuss the issue on the talk page. as goods. Privacy is distinguished from the tangible goods which may complement it--window shades, caller I.D., trench coats, and fedoras--and from the substantive information it governs. The "bundle" is intangible, nontransferable, and possesses few, if any, of the characteristics we would traditionally ascribe as·cribe
tr.v. as·cribed, as·crib·ing, as·cribes
1. To attribute to a specified cause, source, or origin: "Other people ascribe his exclusion from the canon to an unsubtle form of racism" to property. (31)
Despite fitting the model loosely, privacy is nonetheless an economic good. (32) It is scarce, that is, we generally don't want to relinquish control over personal information unless we get something in return, and likewise, we would be willing to pay for more privacy up to the point where the marginal benefits equal the marginal costs Marginal cost
The increase or decrease in a firm's total cost of production as a result of changing production by one unit.
The additional cost needed to produce or purchase one more unit of a good or service. . (33) As inapposite in·ap·po·site
Not pertinent; unsuitable.
in·ap as it may initially seem, the metaphor of the market applies and it is instructive to think of privacy within the framework of supply and demand. The demand for privacy is driven by the competing consumption interests of market participants who would prefer other rules and institutions to govern the flow of information. Supply is similarly determined by the costs of ensuring more privacy. (34) In this context, market participants who value relaxed privacy protections will compete against those who favor more stringent policies.
As a brief aside, it is relevant to note that the current tone of the privacy debate leaves little wiggle room wiggle room
Flexibility, as of options or interpretation: ambiguous wording that left some wiggle room for further negotiation.
Noun 1. for those with competing demand interests. Fred Cate notes that
[i]t is frankly difficult to find the 'other' side of the privacy debate in large part because the benefits that result from open information flows (and may be placed at risk when privacy protections interfere with those flows) are so integral a part of our lives that they are seldom explicitly recognized or fully understood. (35)
To avoid demonizing those who are "anti-privacy," (36) it is useful to think of some of the positive effects of relaxed privacy standards from a broader social policy standpoint. For instance, fewer restrictions on information allow insurance markets to operate efficiently, reduce transaction costs Transaction Costs
noncontroversial, uncontroversial - not likely to arouse controversy or "purchased," as is the likelihood of that disclosure occurring. (41) Most consumers do not know what their future medical condition will be at the time they subscribe to Verb 1. subscribe to - receive or obtain regularly; "We take the Times every day"
buy, purchase - obtain by purchase; acquire by means of a financial transaction; "The family purchased a new car"; "The conglomerate acquired a new company"; a medical plan. They are essentially buying a "black box" based on risk preferences and speculation about future conditions based on limited present information. The acceptable risk of PHI disclosure is entirely unresolved until the substance of the PHI is known. (42) Thus, the ultimate value of privacy is not revealed until long after a policy is in place.
Despite this drawback, privacy may still be treated as an economic good and priced as such. All time-preferenced goods involve some measure of risk evaluation and speculation in pricing. (43) Just as insurance policies reflect different risk preferences by offering an array of policies priced by actuarial ac·tu·ar·y
n. pl. ac·tu·ar·ies
A statistician who computes insurance risks and premiums.
[Latin estimates, so too can privacy policies reflect individual preferences by following a similar strategy. (44) One solution is to concentrate or bundle the preferences of individual consumers. This could take the form of group policy plans, provider set standards, or some hybrid between the two.
There is a problem, however, in that catering to individual preferences can become very costly, very quickly. While it is conceivable that an individual could contract with every covered entity they come into contact with, the costs could mushroom as providers scrambled to accommodate a variety of needs, and regulatory oversight is replaced by extensive contract enforcement. This is not a foregone conclusion foregone conclusion
1. An end or a result regarded as inevitable: The victory was a foregone conclusion. See Usage Note at foregone.
2. , however. The incentive to develop a way to meet the need for customized solutions while keeping costs minimized is as strong as the demand driving it. Entrepreneurs in search of potential profits will search for ways to capitalize on Cap´i`tal`ize on`
v. t. 1. To turn (an opportunity) to one's advantage; to take advantage of (a situation); to profit from; as, to capitalize on an opponent's mistakes s>. the potential profits and will likely find innovative solutions. (45)
Critics of this type of market-oriented approach point out that this kind of price discrimination is not possible within the current system because of "pervasive market failures." (46)
Although they are correct in their assessment that the conditions for a traditional competitive market do not presently exist, (47) it is not a foregone conclusion that the market has failed or cannot provide an efficient outcome. Problems such as high transaction costs, information asymmetries Information asymmetry
Condition that information is known to some, but not all, participants. , and bargaining power disparities are commonplace in the real world and many (if not all) economists are well aware that the theoretical constraints and ceteris paribus Ceteris Paribus
Latin phrase that translates approximately to "holding other things constant" and is usually rendered in English as "all other things being equal". In economics and finance, the term is used as a shorthand for indicating the effect of one economic variable on clauses that delimit de·lim·it also de·lim·i·tate
tr.v. de·lim·it·ed also de·lim·i·tat·ed, de·lim·it·ing also de·lim·i·tat·ing, de·lim·its also de·lim·i·tates
To establish the limits or boundaries of; demarcate. economic models do not hold true in actual practice. (48) Despite this, markets tend to work, even when the conditions suggest the classical economics framework will have little predictive power The predictive power of a scientific theory refers to its ability to generate testable predictions. Theories with strong predictive power are highly valued, because the predictions can often encourage the falsification of the theory. . (49) Further, when particular markets are treated within an experimental framework, economists often discover that these discrepancies may not be problems at all. (50) This is not to say that the market always works flawlessly or that complications are irrelevant. Without looking at the actual functions of a particular market and at how the participants behave within the rules and institutions that exist, it is simply inaccurate to conclude that the underlying conditions inevitably lead to market failure or that there are not effective measures for changing the rules of the game in order to yield optimal outcomes.
With the advent of HIPAA, a uniform standard is imposed which cannot adjust to individual preferences without risking liability for covered entities. Rather than enable more refined price discrimination by offering consumers a variety of choices priced along the demand curve, a "one-size-fits-all" federal policy ensures that there is no price discrimination whatsoever. (51) Scarce resources are not allocated according to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. their most valued uses, and the benefits of a competitive market are lost to waste. (52) HIPAA fails to match consumer preferences to competing policies, and the end result is guaranteed inefficiency and true market failure.
To illustrate part of the problem, consider a hypothetical hospital that caters only to patients with the lowest of privacy preferences. Even with all patients choosing to sign authorization and consent forms, the hospital would not escape the administrative and operative burdens that HIPAA imposes. The federal regulations mandate that the hospital jump through every compliance hoop, regardless of consumer preferences. (53) The patients end up bearing the financial costs of a system that offers them little or no substantial benefit. (54)
In the real world, preferences are rarely so uniform. (55) Consumers have wildly divergent preferences based on their individual needs and tempered by the costs they are willing to bear. When patients have heterogeneous preferences, HIPAA is only able to cater to one segment of the market. (56) The costs are not borne in proportion to individual demand, and those with low privacy preferences end up subsidizing the privacy interests of those with high privacy preferences. (57) The net effect is a wealth transfer from the former group to the latter. (58)
B. The Underlying Conditions of the Health Care Market
Stepping away from economic theory, it is useful to ask what led to the problems associated with medical privacy and health care providers in the first place. HIPAA was enacted to deal with the real conflict that exists between employee privacy and employer health care provision, (59) but how did this conflict arise? What led to the emergence of employer provision of health care? How did health care shift from a simple individual "fee for services" arrangement to a complex system of health plans, insurers, administrators, and federal regulation? The answer is not a simple one, but at least part of it lies in the Internal Revenue Code The Internal Revenue Code is the body of law that codifies all federal tax laws, including income, estate, gift, excise, alcohol, tobacco, and employment taxes. These laws constitute title 26 of the U.S. Code (26 U.S.C.A. § 1 et seq. and the rise of third party payers. (60) Over time, policy changes and industry developments have shifted the role of purchasing and bargaining for medical services away from the consumer and towards employers, insurers, and group plan administrators. (61) The tax code provides significant incentives for employers to manage and provide medical coverage as part of the package of benefits that employees receive. (62) The tax burden for employer outlays is lower than if they paid the same amount to the employee directly, (63) and the resulting shift toward employer provision of medical benefits has become so commonplace that it is effectively mandatory in all but the lowest compensated occupations. (64)
While it may reduce individual transaction costs to seek jobs which bundle medical insurance with wages, this makes health services health services Managed care The benefits covered under a health contract costlier overall. (65) At the margin, individuals have few incentives to either engage in risk-averse behavior or to keep claim costs low by monitoring the medical services they receive. (66) Depending on the particular type of health plan provided, employees may face strong incentives to consume more medical services, particularly if deductibles are low relative to individual demand and/or if individual account savings fail to roll over to successive periods. The more an individual is insulated from the costs of their choices, the more likely they are to spend. (67) Thus, plans with poor incentive structures result in greater costs overall. This free rider Free rider
A follower who avoids the cost and expense of finding the best course of action simply by mimicking the behavior of a leader who made these investments. and collective action problem is remedied in part by the employers' interests in keeping costs low, but this indirect bargaining and monitoring is considerably less efficient than its direct alternative. The tradeoff between group plan savings and losses attributable to agency problems is complicated by tax incentives and the increasing complexity of insurance and benefits plans, (68) so it is unclear what the efficient market outcome would actually look like. It is almost certain, however, that if employers were given tax neutral treatment, third party payers would play a substantially smaller role. (69)
As it stands, the current system places employers in the position of having to monitor the health services that are being provided to their employees. Without some sort of accountability check on the type and quality of care provided, employers have no means of keeping insurance costs down or monitoring what exactly they are paying for. (70) This creates a real dilemma for both employers and employees, as the tradeoff for accountability is the diminution Taking away; reduction; lessening; incompleteness.
The term diminution is used in law to signify that a record submitted by an inferior court to a superior court for review is not complete or not fully certified. of medical privacy. As one policy study notes:
Congress will not be able to address the privacy issue fully until it addresses the tax treatment of employer-provided health coverage. Providing tax credits directly to individuals so that they can purchase and own their own health insurance would vastly improve confidentiality of medical records and minimize regulatory intrusion into the patient-doctor relationship. (71)
This and other reform solutions are well worth considering before turning to more government regulation. If it were not for the tax code encouraging employers to play the awkward part of middleman mid·dle·man
1. A trader who buys from producers and sells to retailers or consumers.
2. An intermediary; a go-between. in health care provision, many of the privacy concerns that led to the HIPAA legislation may never have arisen at all. The incidental benefit of changing the payment system to eliminate or reduce the roll of middlemen is to reduce the demand for information and thereby facilitate greater privacy protections.
C. HIPAA's Policy Failings
Unfortunately, HIPAA does little to address the accountability tradeoff, and largely fails to meet its own policy goal of establishing employer/employee privacy safeguards. Employers can effectively sidestep side·step
v. side·stepped, side·step·ping, side·steps
1. To step aside: sidestepped to make way for the runner.
2. HIPAA's protections because of a number of broad consent exceptions (72) and a lack of prohibitions on employers requiring PHI disclosure authorizations as a condition of employment. (73) These and other exceptions may leave patients with inadequate privacy protections. Not only do the regulations open the door to the underprotection of privacy, the penalties often encourage draconian dra·co·ni·an
Exceedingly harsh; very severe: a draconian legal code; draconian budget cuts.
[After Draco. overenforcement of the regulations, in some cases, yielding too much privacy. (74)
Given the morass of regulations and accreditation requirements that health care providers already have to contend with, it is not surprising that when faced with uncertainty or the prospect of liability, the tendency is to err on the side of caution and overenforcement. (75) When the stakes are high, uncertainly is an unappealing option, and covered entities are more likely to adopt reactionary policies that favor their interests over those of the patients they serve. A common example of this problem is often cited anecdotally: although the HIPAA rules require hospitals to allow patients to opt-out of the patient directory, (76) many hospitals treat it as an opt-in rule. Unless the patient explicitly authorizes the listing, hospitals will not reveal that information--even in the extreme situation where an unconscious and dying patient's friends and relatives are trying to locate her. (77) While some providers may be unknowingly misapplying the law, many knowingly overreach overreach
the error in a fast gait when the toe of a hindhoof of a horse strikes and injures the back of the pastern of the leg on the same side.
overreach boot for fear of the litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute.
When a person begins a civil lawsuit, the person enters into a process called litigation. and penalties that threaten to ensue en·sue
intr.v. en·sued, en·su·ing, en·sues
1. To follow as a consequence or result. See Synonyms at follow.
2. To take place subsequently. . (78)
In a similar vein, consent forms tend to be overbroad to avoid potential liability. (79) While HIPAA takes steps to redress this by requiring plain language descriptions of the information and its means of disclosure, (80) it is largely ineffective given that few patients bother to read the authorization forms at all--much less in critical detail. (81) While HIPAA shifts control towards patients, this is not clearly in their favor. They have the option to sign or not to sign, but they lose the diversity of options they have to choose from and may be left with a stark choice between relinquishing their privacy via a consent form or forgoing treatment altogether.
There are also numerous exceptions to the consent requirements that are not within the patient's control.
[T]oday patient consent is not required for disclosures of your personal medical information by covered entities in connection with medical treatment, payment or health care operations. Although patient authorization is required in certain other situations, a laundry list of over-broad exceptions retained from the original rules largely guts the authorization requirement. (82)
The gains that might initially seem to advance the interests of ardent privacy advocates are quickly swallowed by this and other problematic HIPAA rules which inadequately protect patient privacy. (83)
Privacy advocates should also be concerned with HIPAA's "transactions rule." The rule sets forth a standardized format for medical records, (84) which allows for centralized cen·tral·ize
v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es
1. To draw into or toward a center; consolidate.
2. data collection on a scale not previously feasible. This move might bode bode 1
v. bod·ed, bod·ing, bodes
1. To be an omen of: heavy seas that boded trouble for small craft.
2. well from a long-run cost-efficiency perspective, but it raises serious concerns for privacy. (85) Consider, for example, the failed proposal to create a National Data Center put forth by the Johnson administration There have been two Presidents of the United States with the surname "Johnson":
National Health Insurance ") as part of the original HIPAA legislation. (89) These requirements were copied almost verbatim from the rejected 1993 Clinton health security bill. (90) Although the NHI proposal was eventually withdrawn, similar threats to privacy remain as the security requirements of HIPAA dictate a standardized format for medical records, which includes Social Security numbers. (91) In practice, if not in principle, this is essentially equivalent to the NHI proposal. (92)
D. HIPAA's Costs
In addition to the structural problems outlined above, HIPAA also comes with a high price tag. There are direct and indirect costs Indirect costs are costs that are not directly accountable to a particular function or product; these are fixed costs. Indirect costs include taxes, administration, personnel and security costs. See also
Costs that have been incurred and cannot be reversed. as initial policy development and implementation, renegotiation of contracts between business associates, technology improvements, and other administrative burdens. (94) Ongoing costs include personnel training, amendment and correction requirements, and patient authorizations. (95) Combined, these expenditures yield long-run baseline costs The continuing annual costs of military operations funded by the operations and maintenance and military personnel appropriations. between $25 and $30 billion. (96)
Along with direct expenditures, HIPAA also adds to the costs and inefficiencies of the health care market in the form of indirect costs. By adding a layer of regulatory red tape, HIPAA distorts the market process by introducing costs which disproportionately affect covered entities. While the rules may be the same for everyone, the costs of implementing them are not. Large insurance and health care companies will gain stronger positions in the market as they are more able to bear the costs of compliance. In contrast, small organizations will face greater proportional costs. HHS recognized this problem and gave an additional year for small health plans (not small providers) to comply, but this stopgap, applied only to a fraction of affected parties, does not address the underlying problem. The regulations also hinder new entrants to the market who now face higher start up costs as a result of the compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). . These barriers to market entry make the market less competitive overall, and as the costs of entering and remaining in the market rise, so too do the costs of health care provisions. (97)
Lastly, HIPAA has a number of additional hidden costs in the form of unintended consequences. Some market players will invariably in·var·i·a·ble
Not changing or subject to change; constant.
in·vari·a·bil profit at the expense of others when new regulatory burdens take effect: here, there are a number of winners and losers. HIPAA is an economic boon to the tech industry (98) and to legal firms and others that specialize in HIPAA compliance. (99) Some insurance companies are already offering protections for liabilities derived explicitly from HIPAA violations. (100) While this may appear to create new jobs, it is only at the expense of scarce resources that would otherwise be put to use more efficiently elsewhere. (101)
The regulations also adversely affect charities and medical research. Charitable organizations that raise money for health causes depend on many former and current patients for charitable revenues. (102) With the advent of HIPAA, they can no longer access or purchase targeted lists without patient consent. (103) This restraint puts charities devoted to medical illness and treatment that are dependent on individual donations at a significant disadvantage. (104) Likewise, HIPAA makes it more difficult for pharmaceutical companies, medical device manufacturers, epidemiologists, (105) and clinical researchers to conduct clinical trials. (106) Researchers no longer have easy access to the medical information that allows them to reach the relevant test subjects. (107) This hurdle will make the already lengthy and expensive delay between product invention and market availability even more encumbered Encumbered
A property owned by one party on which a second party reserves the right to make a valid claim, e.g., a bank's holding of a home mortgage encumbers property. .
Other industries may also face higher costs by virtue of falling with the "covered entities" category, even though they are not ostensibly os·ten·si·ble
Represented or appearing as such; ostensive: His ostensible purpose was charity, but his real goal was popularity. part of the health care industry. Law firms This list of the world's largest law firms by revenue is taken from The Lawyer and The American Lawyer and is ordered by 2006 revenue:
An economic theory that the support of businesses that allows them to flourish will eventually benefit middle- and lower-income people, in the form of increased economic activity and reduced unemployment. " effect is hard to trace and is unlikely to be fully accounted for in any HIPAA cost estimate.
E. HIPAA's Legal Problems
HIPAA also raises a number of legal problems. There are tricky issues with some of the more straightforward legal questions. For instance, when is there a violation? When does a plaintiff have standing, and, what are the possible remedies and defenses? In addition to these types of standard litigation questions, HIPAA raises issues that are unique--namely, problems related to the "minimum necessary" standard and state law preemption preemption
U.S. policy that allowed the first settlers, or squatters, on public land to buy the land they had improved. Since improved land, coveted by speculators, was often priced too high for squatters to buy at auction, temporary preemptive laws allowed them to acquire problems. The typical litigation problems are worth exploring, but are beyond the scope of this paper. It is worthwhile, however, to spend some time looking at the "minimum necessary" standard and preemption problems as they have already generated considerable debate in the literature and litigation in the courts.
The "minimum necessary" standard requires that a covered entity make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose of the use, disclosure, or request. (110) This attempt to further limit the misuse of PHI creates one of the greatest compliance challenges for covered entities. (111) Even for routine and recurring disclosures or requests, covered entities must implement policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental to meet the standard. (112) Aside from the implementation burden, the main problem with the standard is that it is remarkably vague. Commentators have argued that it is "contrary to sound medical practice" and "unworkable in daily treatment situations." (113) Although it has thus far survived constitutional challenges, (114) this assurance offers little consolation to covered entities struggling to implement the rule. (115) The inherent ambiguity of a "reasonableness" test combined with the near infinite number infinite number
a number so large as to be uncountable. Represented by 8, frequently obtained by 'dividing' by zero. of facts and circumstances that factor into one's subjective judgment create a dangerous pitfall pit·fall
1. An unapparent source of trouble or danger; a hidden hazard: "potential pitfalls stemming from their optimistic inflation assumptions" New York Times. for covered entities.
In addition to the ambiguities of the "minimum necessary" requirement, HIPAA also creates state law preemption problems. (116) The regulations call for federal preemption of state law except for a number of problematic exceptions. HIPAA does not preempt state law if the state law meets one of the following conditions:
1) Is necessary to prevent fraud and abuse;
2) Ensures appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation:
3) Allows for state reporting on health care delivery or costs:
4) Serves a compelling need related to public health, safety, or welfare, that warrants the intrusion into privacy when balanced against the need to be served;
5) Regulates the manufacture, registration, distribution, dispensing, or other control of any controlled substances controlled substance n. a drug which has been declared by federal or state law to be illegal for sale or use, but may be dispensed under a physician's prescription. , or that is deemed a controlled substance by state law:
6) Is more stringent than the HIPAA rule;
7) Provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention: or
8) Requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals. (117)
Although these exceptions may seem benign on the surface, they cause considerable confusion as to when state law preempts the federal rule. (118) The issues are not straightforward or easily dispensed with, and states are already seeing substantial litigation as courts address the issue. (119) Until these issues are more firmly settled, we can only expect more of the same.
Regardless of the wisdom behind the preemption exceptions, much of the blame for generating this litigation falls squarely on HHS. Presumably pre·sum·a·ble
That can be presumed or taken for granted; reasonable as a supposition: presumable causes of the disaster. to cut back on compliance costs, changes were made to the final rule which eliminated a state's ability to seek out an advisory opinion on preemption. (120) While this reduces the burden on HHS, it fails to clarify the legal issues and merely shifts the burden onto courts to resolve the question at the state level.
Beyond the particular legal questions engendered by HIPAA, the regulations also invite new litigation. Although HIPAA does not create any new federal private rights of action for wrongful disclosures of PHI, (121) the privacy standards are now being incorporated into state common law causes of action (122) and may be used to extend actions to parties previously exempt for lack of privity A close, direct, or successive relationship; having a mutual interest or right.
Privity refers to a connection or bond between parties to a particular transaction. Privity of contract is the relationship that exists between two or more parties to an agreement. . (123) For better or worse, this expansion of state law claims adds burdens to the court system and consumes legal resources.
There are also new legal costs outside of the claims themselves. Namely, lawyers face increased discovery costs and litigation obstacles in accessing medical records. (124) Attorneys also have greater internal compliance costs in the form of procedural safeguards for protecting client PHI, creating and monitoring arrangements with covered entities with respect to PHI, and in-house staff training. (125) When assessing HIPAA's legal costs, it would be a mistake to look simply at the damages awarded to successful plaintiffs or the costs of new claim litigation generally. The costs of HIPAA are much broader and ought to be accounted for. Resolving legal issues as a matter of first impression, working through more red tape during discovery, and adding encumbrances to law firms and attorneys must be added to the sum.
HIPAA's high costs, questionable benefits, and numerous economic, legal, and administrative consequences make a strong case for repeal. Not only does it seem reasonable to conclude that the benefits fail to exceed the costs, it may be that the policy may not produce any net benefits, regardless of cost. (126) As an alternative, we should consider less intrusive options that address the privacy concerns that led to HIPAA, while avoiding the many problems it has raised. A good solution meets the criteria of sound policy implementation, (127) while minimizing the regulatory costs and burdens. (128)
Several possible solutions have already been noted: a broad reexamination re·ex·am·ine also re-ex·am·ine
tr.v. re·ex·am·ined, re·ex·am·in·ing, re·ex·am·ines
1. To examine again or anew; review.
2. Law To question (a witness) again after cross-examination. of the structure of the health care payment system, a revision of the tax code, (129) and the development of a privacy insurance market. (130) The advantage of these types of reform is that they address certain underlying concerns of the health care market that regulatory reform Regulatory Reform concerns improvements to the quality of government regulation.
At the international level, the "OECD Regulatory Reform Programme is aimed at helping governments improve regulatory quality -- that is, reforming regulations that raise unnecessary obstacles to generally neglects. The agency problems, poor incentive structures, collective action difficulties, and moral hazards Moral Hazard
The risk that a party to a transaction has not entered into the contract in good faith, has provided misleading information about its assets, liabilities or credit capacity, or has an incentive to take unusual risks in a desperate attempt to earn a profit before the that plague the health care system are at the root of rising costs and frustrations with medical coverage. (131) Only by changing the rules of the game can we expect any real resolution to these problems. But, given that such reforms would require radical changes to the health care market and the current political climate, more incremental Additional or increased growth, bulk, quantity, number, or value; enlarged.
Incremental cost is additional or increased cost of an item or service apart from its actual cost. change seems likely.
Another possible route is to adopt clear guidelines for better privacy policies. Fred Cate sets forth one such framework. He suggests regulators "should focus on harm, not control; use narrow, precise definitions; employ appropriate consent requirements; apply regulations consistently; and evaluate the constitutionality of rules." (132) Similarly, Cass Sunstein Cass R. Sunstein (born 1954) is a prominent law professor at the University of Chicago Law School. Early life and education
Sunstein was born in 1954. He graduated in 1972 from the Middlesex School in Concord, Massachusetts and in 1975 from Harvard College, where he was a offers a narrower framework for evaluating health privacy:
A free society should begin with a strong presumption in favor of full patient control over personal information. The presumption is rebutted when disclosure to others is necessary (1) for good patient care. as in the case of consultations and medical teams: (2) to compile information that will produce scientific or medical progress: (3) to protect third parties from serious risks of harm: and (4) to prevent harm to patients themselves. (133)
Whether Cate or Sunstein has the right approach is debatable, but given the current regulatory environment and the promise of a better alternative, it may not be a bad idea to let their ideas play out. The current approach to privacy is muddied and simply not feasible. A more consistent and principled approach holds the promise of clarifying our legal rights and the value of those rights in any given tradeoff. At least with a clear sense of what is at stake, we can begin to make rational decisions about when, where, and how information ought to be handled.
As a final alternative, we may simply want to go back to the beginning. Prior to HIPAA, choices about privacy were exercised by those closest to the situation and circumstances, namely health care practitioners and intermediaries constrained by state privacy, contract, and tort laws A body of rights, obligations, and remedies that is applied by courts in civil proceedings to provide relief for persons who have suffered harm from the wrongful acts of others. . (134) They were also constrained by custom and common sense, norms we too often undervalue. (135) Not every solution to a problem need be a legal one, and the lack of widespread or systematic privacy abuse prior to HIPAA suggests there may not be a place for one. (136) Assuming, arguendo, that there is such a place, it may be best to bolster the protections that already exist for patient privacy at the state level, keeping in mind that there are significant tradeoffs to enhancing those protections. (137)
Regardless of which path we take, there are good reasons for taking a more market-oriented approach. Among other things, it offers a variety of alternatives, eliminates or reduces the overall administrative burden, and removes the need for esoteric debates over what amount of privacy is the "right" amount for individual consumers. (138) Although, the "invisible hand Invisible Hand
A term coined by economist Adam Smith in his 1776 book "An Inquiry into the Nature and Causes of the Wealth of Nations". In his book he states:
"Every individual necessarily labours to render the annual revenue of the society as great as he can. " of Adam Smith cannot point us to the solution, it does encourage innovation, choice, and most of all competition. We have no guaranteed means of knowing in advance who will win and who will lose, but it is important to set aside any pessimism, and remember that the openness of the market is precisely what makes it work. (139)
As a corollary, it is also important to consider the benefits of competing legal regimes. By allowing states to experiment with different legal solutions that balance the privacy interests of consumers with the interests of the health care industry, we are more likely to see innovation and improvement. (140) State legislators can more readily change the laws when they become ineffective or excessive, and can more readily respond to the people affected. And, at least in principle, states can learn from each other and compare what does or does not make a system work and adjust accordingly. Under a uniform regime, we lose much of the incentive to create better laws at the state level. And although HHS officials may have the best of intentions, they face a much more difficult task in creating rules that best satisfy the conditions of each state's interests and existing legal framework. The agency is much less likely to finesse a solution that works for any single state, much less any particular health care market within that state.
In sum, HIPAA is not a good deal for patients, the health care industry, or any "covered entity" that has the misfortune to fall within its reach. The advantages of strengthening and simplifying the rules under a uniform standard are gained at the expense of experimentation and competition between states and among providers. The administrative burdens HIPAA imposes are, at best, a marginal benefit for a small segment of consumers. At its worst, HIPAA imposes costs directly and indirectly on nearly everyone and offers little in return. HIPAA's main agenda of resolving the employer/employee information disclosure problem remains largely unresolved, and HIPAA does nothing to address the underlying agency problem. In place of a sound policy bolstering privacy protections, HHS has given us a stack of regulations that amount to a costly administrative headache with a number of wealth redistributive effects in tow. Alternatively, we should repeal HIPAA and consider less centralized, more competitive, and more effective options.
(1.) See, e.g., Fred Cate, Principles for Protecting Privacy, 22 CATO Cato
the Elder (234–149 B.C.) for his last eight years said in every Senate speech, “Carthage must be destroyed.” [Rom. Hist.: EB (1963) V, 43]
See : Perseverance
CATO - Fortran-like CAI language for PLATO system on CDC 1604. J. 33, 34-36 (2002), available at http://www.cato.org/pubs/journal/cj22n1/cj22n1-4.pdf; Shaun Spencer, Reasonable Expectations and the Erosion of Privacy, 39 SAN DIEGO San Diego (săn dēā`gō), city (1990 pop. 1,110,549), seat of San Diego co., S Calif., on San Diego Bay; inc. 1850. San Diego includes the unincorporated communities of La Jolla and Spring Valley. Coronado is across the bay. L. REV. 843, 844-51 (2002).
(2.) See generally Helen Nissenbaum, Privacy as Contextual Integrity, 79 WASH. L. REv. 119. 123-30 (2004).
(3.) See generally Joy L. Pritts, Developments and Trends in the Law: Altered States: Health Privacy Laws and the Impact of the Federal Health Privacy Rule, 2 YALE J. HEALTH POL'Y L. & ETHICS 325, 329 (2002). For a laundry list laundry list A popular term for a long list of Sx, diseases, or etiologies that share something in common–eg, differential diagnosis of acute abdomen of damaging privacy lapses, see Lois Collins, Rx for Privacy, DESERET NEWS, Sept. 2, 2001, at A1.
(4.) See generally Ernest Van Den Haag Ernest van den Haag (September 15 1914, The Hague – March 21 2002, Mendham, New Jersy) was a Dutch-American sociologist, social critic, and John M. Olin Professor of Jurisprudence and Public Policy at Fordham University. , On Privacy, in PRIVACY 149. 150-52 (J. Roland Pennock & John W. Chapman eds., 1971); Peter D. Jacobson, Medical Records' and HIPAA: Is It Too Late to Protect Privacy?, 86 MINN MINN Minnesota (old style) . L. REV. 1497, 1499 (2002).
(5.) See, e.g., Fabio A. Sciarrino, Ferguson v. City of Charleston Ferguson v. City of Charleston, : "The Doctor will See You Now, Be Sure to Bring Your Privacy Rights in With You!," 12 TEMP. POE. & , found a policy of the Medical University of South Carolina regarding involuntary drug testing of pregnant women to violate the Fourth Amendment. CIV JUS AQUAEDUCTUS, CIV. law. The name of a servitude which Lives to the owner of land the right to bring down water through or from the land of another, either from its source or from any other place.
2. . RTS (Request To Send) An RS-232 signal sent from the transmitting station to the receiving station requesting permission to transmit. Contrast with CTS.
1. (operating system) RTS - run-time system.
2. . L. REV. 197 (2002) (discussing case involving a South Carolina South Carolina, state of the SE United States. It is bordered by North Carolina (N), the Atlantic Ocean (SE), and Georgia (SW). Facts and Figures
Area, 31,055 sq mi (80,432 sq km). Pop. (2000) 4,012,012, a 15. hospital that tested expectant mothers for drug use without disclosure and reported results to law enforcement); Spencer, supra A relational DBMS from Cincom Systems, Inc., Cincinnati, OH (www.cincom.com) that runs on IBM mainframes and VAXs. It includes a query language and a program that automates the database design process. note 1, at 887 nn.246-49 and accompanying text.
(6.) Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996) [hereinafter here·in·af·ter
In a following part of this document, statement, or book.
Formal or law from this point on in this document, matter, or case
Adv. 1. HIPAA].
(7.) See generally Lawrence Gostin & James Hodge, The Nationalization nationalization, acquisition and operation by a country of business enterprises formerly owned and operated by private individuals or corporations. State or local authorities have traditionally taken private property for such public purposes as the construction of of Health Information Privacy Protections, 37 TORT & INs. L.J. 1113, 1113-15 (2002).
(8.) See Exec. Order No. 12,866, 58 Fed. Reg. 51,735 (Oct. 4. 1993), amended by Exec. Order No. 13,258, 67 Fed. Reg. 9,385 (Feb. 26, 2002).
(9.) HIPAA's preamble:
An Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.
HIPAA, Pub. L. No. 104-19I. 110 Star. 1936 (1996).
(10.) See generally Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. [subsection] 160, 164 (1999).
(14.) See HIPAA [section] 264(c)(1), Pub. L. 104-191, 110 Slat. 2033 (1996).
(15.) Id. [section] 264(b).
(16). Id. [section] 264(a). Some legislative watchdogs claim that the timing of HIPAA combined with the three year deadline was driven by political gamesmanship games·man·ship
1. The art or practice of using tactical maneuvers to further one's aims or better one's position: . Both political parties hedged their bets that they would control the executive branch when the deadline was expected to pass, thereby allowing them to sidestep the legislative process in pursuit of their respective political agenda. See PRIVACILLA.ORG, HEALTH PRIVACY IN THE HANDS OF GOVERNMENT: THE HIPAA PRIVACY REGULATION--TROUBLED PROCESS, TROUBLING RESULTS 12 (2003), available at http://www.privacilla.org/releases/HIPAA_Report.pdf: see also Charlotte Twight, Medicare's Progeny PROGENY - 1961. Report generator for UNIVAX SS90. : The 1996 Health Care Legislation, 2 INDEP INDEP Independent . REV. 373, 373-74 (1998). Bur see Mary Grealy, Health Privacy: The Beginning of the End or rile End of tire Beginning?, CATO INST. HEALTH POL'Y STUDIES CONFERENCE 79, 80 (2001) (arguing that failure to meet the deadline was "due to issues like private right of action and the rights of minors"), available at http://www.cato.org/events/transcripts/hipaa.pdf; cf. Dick Armey, Just Gotta Learn From rile Wrong Things Wrong Things is a collaborative short-fiction collection by Poppy Z. Brite and Caitlin R. Kiernan, released by Subterranean Press in 2001. This short hardback includes one solo story by each author and one story written in collaboration, as well as an afterword by Kiernan. You Done, 22 CATO J. 7 (2002) ("HIPAA is a classic example of legislative panic."), available at http://www.cato.org/pubs/journal/cj22n1/cj22n1-2.pdf.
(17.) Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. [section] 164.534 (2004).
(19.) Id. [section] 160.103.
(20.) Id. [section] 164.501.
(21.) See id. [section] 160.103: see also Jeffrey Lovitsky, Consents a,d Authorizations Under HIPAA, 76 FLA FLA Florida (old style)
FLA Macromedia Flash (file extension)
FLA Flash Files (file extension)
FLA Fair Labor Association
FLA Front Line Assembly . B.J. 10, 11 (2002).
(22.) See 45 C.F.R. [subsection] 164.501, 164.502(a).
(23.) See 42 U.S.C. [section] 1320d-6.
(25.) See PRIVACILLA.ORG, supra note 16, at 18.
(26.) See Rebecca Bishop, The Final Patient Privacy Regulations Under the Health Insurance Portability and Accountability Act--Promoting Patient Privacy or Public Confusion?, 37 GA. L. REV. 723, 735-36 (2003).
(27.) See infra [Latin, Below, under, beneath, underneath.] A term employed in legal writing to indicate that the matter designated will appear beneath or in the pages following the reference.
infra prep. notes 100-02 and accompanying text.
(28.) HIPAA, Pub. L. No. 104-191 [section] 2723, 110 Stat. 1936 (1996).
(29.) DAVID JOHNSON David Johnson may refer to:
(30.) A market for privacy qua privacy does not presently exist, although markets clearly do exist for goods and services In economics, economic output is divided into physical goods and intangible services. Consumption of goods and services is assumed to produce utility (unless the "good" is a "bad"). It is often used when referring to a Goods and Services Tax. which may give rise to greater privacy proteclion. Likewise. there are markets for personal information, but not for the rules and policies that govern those markets. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke"
put differently , there is, at present, no direct means for an individual to select or bargain for the conditions of their personal information market.
(31.) See, e.g., John Gould
(32.) See generally George Stigler George Joseph Stigler (January 17, 1911 – December 1, 1991) was a U.S. economist. He won the Nobel Prize in Economics in 1982, and was a key leader of the Chicago School of Economics, along with his close friend Milton Friedman. , An Introduction to Privacy in Economics and Politics, 9 J. LEGAL STUD. 623, 625 (1980).
(33.) See generally MURRAY ROTHBARD Murray Newton Rothbard (March 2, 1926 – January 7, 1995) was an influential American economist, historian and natural law theorist belonging to the Austrian School of Economics who helped define modern libertarianism. , MAN, ECONOMY AND STATE 241 (1962) (explaining marginal utility marginal utility
In economics, the additional satisfaction or benefit (utility) that a consumer derives from buying an additional unit of a commodity or service. The law of diminishing utility implies that utility or benefit is inversely related to the number of units and principles of exchange).
(34.) Stigler, supra note 32. at 628.
(35.) Cate, supra note 1, at 36.
(36.) Kent Walker, Where Everybody Knows Your Name: A Pragmatic Look at the Costs of Privacy and the Benefits of Information Exchange, 2000 STAN. TECH. L. REV. 4, 5 (2000). "Just as no one is "pro-abortion" or 'anti-life,' no one can be 'anti-privacy,' yet that's the only label left by the rhetoric." Id.
(37.) See Stigler, supra note 32, at 628-33.
(38.) See generally Lawrence Gostin & James Hodge, Personal Privacy and Common Goods: A Framework for Balancing Under the National Health Information Privacy Rule, 86 MINN. L. REV. 1439, 1439-42 (2002).
(40.) See infra Part II.E.
(41.) See Richard Epstein
Richard Allen Epstein , HIPAA on Privacy: Its Intended and Unintended Consequences, 22 CATO J., 13, 15 (2002) (noting that judgments are made behind a Rawlsian veil of ignorance) [hereinafter Epstein, HIPAA on Privacy], available at http://www.cato.org/pubs/journal/cj22n1/cj22n1-3.pdf.
(42.) For example, take a patient who is diagnosed with a condition that carries a costly social stigma Social stigma is severe social disapproval of personal characteristics or beliefs that are against cultural norms. Social stigma often leads to marginalization.
Examples of existing or historic social stigmas can be physical or mental disabilities and disorders, as well as . The value of keeping their medical information confidential escalates in proportion to the consequences of disclosure. The patient's demand for privacy at the time of "purchase" is substantially less than at the relevant time of policy enforcement.
(43.) See generally Mario Rizzo, Time in Economics, in ThE ELGAR El·gar , Sir Edward 1857-1934.
British composer whose orchestral works include Enigma Variations (1896) and five Pomp and Circumstance marches (1901-1930).
Noun 1. COMPANION TO AUSTRIAN ECONOMICS 111 (Peter Boettke Peter J. Boettke (b. 3 January 1960) is an American economist of the Austrian School. Early life and education
Boettke was born in Rahway, New Jersey to Fred and Elinor Boettke and remained there until he moved to Pennsylvania to attend Thiel College in Greenville and ed., 1994).
(44.) The mechanics may be complex, but such a system would offer a variety of choices with greater flexibility on the part of providers and insurers, while ultimately leaving the decision in the hands of the consumer. Ideally, an array of competing policies would emerge to effectively meet the demands of a wide spectrum of consumers. Market pressures to supply the best product at the lowest cost would also tend to prevent unwanted information disclosures and minimize implementation and enforcement costs.
(45.) See generally Sanford Ikeda, Market Processes 23, 23-25 in THE ELGAR COMPANION TO AUSTRIAN ECONOMICS (Peter Boettke ed., 1994); Israel Kirzner Israel Meir Kirzner (Yisroel Mayer Kirzner) (born February 13, 1930) is a leading economist in the Austrian School. Early life
The son of a well-known rabbi and Talmudist, Kirzner was born in London, England and came to the United States via South Africa. , Entrepreneurship, 103. 103-110 in THE ELGAR COMPANION TO AUSTRIAN ECONOMICS (Peter Boettke ed., 1994).
(46.) See Spencer, supra note 1, at 891-907. But see JAY COCHRAN, MERCATUS CTR See click-through rate. ., PUBLIC INTEREST COMMENt ON STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION 13 (2001), available at http://www.mercatus.org/pdf/materials/78.pdf (noting that the HHS claim of market failure based on information asymmetry and externalities externalities
side-effects, either harmful or beneficial, borne by those not directly involved in the production of a commodity. presupposes poorly defined property rights).
(47.) See, e.g., James Nehf, Recognizing the Societal Value in Information Privacy, 78 WASH. L. REV. 1, 59-66 (2003).
(48.) See Mark Pauly, Regulation of Bad Things That Almost Never Happen But Could: HIPAA and the Individual Insurance Market, 22 CATO J. 59, 60-61 (2002) (discussing the problem of imperfect consumer information and insurance), available at http://www.cato.org/pubs/journal/cj22n1/cj22n1-5.pdf.
(49.) See, e.g., Vernon Smith, Markets as Economizers of Information: Experimental Examination of the "Hayek Hypothesis," 20 ECON ECON Economics (course)
ECON Economy (minimum cost speed schedule)
ECON Centre for Economic Analysis
ECON Eastern Coalition of Nations (Star Trek) . INQUIRY 167. 167 (1982).
(50.) See id.
(51.) See PRIVACILLA.ORG, supra note 16, at 1.
(52.) For a discussion on the difficulty of obtaining market efficiency through central or government planning, see generally RICHARD MCKENZIE, COMPETING VISIONS (1985). McKenzie notes that the "economic problem" is not simply one of scarcity, but one of information coordination. Id. at 104-05, 108-12.
(53.) See generally Mary K. Martin, Some Things Old, Some Things New: The HIPAA Health Information Privacy Regulations, 59 BENCH & B. MINN. 32, 33-34 (2002); Elizabeth Morris et al., HIPAA and Its Impact on Michigan's Health Professionals, 81 MICH v. i. 1. To lie hid; to skulk; to act, or carry one's self, sneakingly. . B.J. 29 (2002).
(54.) See, e.g., Cate, supra note 1, at 38-43 (discussing the limits of notice and consent and comparing an opt-out to an opt-in rule).
(55.) See Richard Epstein, A Taste for Privacy? Evolution and the Emergence of a Naturalistic nat·u·ral·is·tic
1. Imitating or producing the effect or appearance of nature.
2. Of or in accordance with the doctrines of naturalism. Ethic, 9 J. LETHAL STUD. 665, 679 (1980).
(56.) See generally Gary M. Anderson, The Economic Theory of Regulation, in THE ELGAR COMPANION TO AUSTRIAN ECONOMICS 294, 295-297 (Peter Boettke ed., 1994). In economic terms, this is a "deadweight loss Deadweight Loss
The costs to society created by an inefficiency in the market.
Mainly used in economics, the term "deadweight loss" can be applied to any deficiency due to an inefficient allocation of resources. ," the uncaptured wealth that would otherwise be yielded in an efficient market.
(57.) See COCHRAN, supra note 46, at 5.
(59.) See generally PRIVACILLA.ORG, supra note 16, at 3.
(60.) Id. at 2.
(61.) See Victoria Craig Bruce, Medical Sayings Accounts: Progress and Problems Under HIPAA, CATO POL'Y ANALYSIS, Aug. 8, 2001, at 1, available at http://www.cato.org/pubs/pas/pa411.pdf.
One of the major factors driving health care costs higher has been the increasing share of medical bills paid by third-party payers (private health insurers, employers, and government agencies) in the U.S. health care system. Most health care consumers do not pay directly for their own health care. Nearly 97 percent of hospital bills and more than 84 percent of physicians' fees are paid by private health insurance. On average, 80 cents of every dollar used to purchase health care is paid by someone other than the consumer who receives the care.
Id. at 3.
(62.) PRIVACILLA.ORG, supra note 16, at 3: see also JOHN GOODMAN Not to be confused with Johnny Goodman (TV producer), Johnny Goodman, or John C. Goodman.
John Stephen Goodman (born June 20, 1952) is a Golden Globe- and Emmy-winning American actor, perhaps best known for his roles on the television series Roseanne & GERALD MUSGRAVE, NAT'L CTR. FOR POLICY ANALYSIS, CONTROLLING HEALTH CARE COSTS WITH MEDICAL SAVINGS ACCOUNTS This article or section is in need of attention from an expert on the subject.
Please help recruit one or [ improve this article] yourself. See the talk page for details. (1992), available at http://www.ncpa.org/pub/st/st168/: S. Butler & C. Gavora, How Tax Reforms Would Help Improve Patient Confidentiality patient confidentiality Medical practice A Pt's right to privacy and freedom from public dissemination of information that the Pt regards as being of a personal nature. See HIPAA, Medical privacy. , HERITAGE FOUND. BACKGROUNDER back·ground·er
An informal news briefing for reporters by an official often speaking off the record.
Noun 1. backgrounder , Jan. 19, 1999, at 3, available at http://www.heritage.org/Research/Taxes/bg1242.cfm.
(63.) Butler & Gavora, supra note 62, at 3.
(64.) See generally Anne Maltz, Health Insurance 101. 690 PLI PLI Practising Law Institute
PLI Professional Liability Insurance
PLI Programming Language Interface (Verilog programming language)
PLI Partido Liberal Independiente (Independent Liberal Party, Nicaragua) LIT. 523, 537-38 (2003).
(65.) See Butler & Gavora, supra note 62, at 4.
(66.) See GOODMAN & MUSGRAVE, supra note 62.
(68.) Consider. for example, the Medicare Prescription Drug, Improvement, and Modernization Act The Medicare Prescription Drug, Improvement, and Modernization Act (Pub.L. 108-173, 117 Stat. 2066, also called Medicare Modernization Act or MMA) is a law of the United States which was enacted in 2003. of 2003 that, in subsidizing prescriptions, distances the payer from the beneficiary thereby creating additional distortion in the health care market. Medicare Prescription Drug, Improvement, and Modernization Act of 2003, Pub. L. 108-173, 117 Stat. 2066 (2003).
(69.) See generally M. Susan Marquis & Stephen Long People named Stephen Long
Stephen Long (journalist and broadcaster) Economics Correspondent at The Australian Broadcasting Corporation.
Stephen P. Long , To Offer or Not to Offer: The Role of Price in Employers' Health Insurance Decisions, 36 HEALTH SERVICES RES. 935 (2001) (study finding that employer demand for health insurance is relatively inelastic inelastic
Of or relating to the demand for a good or service when quantity purchased varies little in response to price changes in the good or service. with regards to changes in rate premiums and noting prior studies that have found varying results for studies based on the stated preferences of employers), available at http://www.hospitalconnect.com/hsr/ArticleAbstracts/Marquis365.html.
(70). See Butler & Gavora, supra note 62, at 4.
(72.) See Charlotte Twight, Prying pry·ing
Insistently or impertinently curious or inquisitive: ignored the prying journalists' questions.
pry Eyes. The End of Medical Privacy (Jan. 21, 2003), at http://www.foxnews.com/story/0,2933,76087,00.html (last visited Oct. 20. 2004) [hereinafter Twight, Prying Eyes].
(73.) HHS also recognizes this problem:
Jeffrey Blair: [B]ut if we go back to the original thinking of why we needed privacy protections, if I recall correctly, the greatest concern that the public had was that their health care information might be inappropriately accessed by their employers. And that that might jeopardize either their ability to be hired, or their ability to retain their employment. Of course, HIPAA attempted to address this as well as it could within the framework that Congress gave us. ... Mark Rothstein: [H]IPAA actually does really very little, if anything to address that problem that you referred to. That is, individuals being concerned that their employers have access to their health records. And the reason for that is it is lawful for an employer to require that an individual sign an authorization as a condition of employment, after the individual has received a conditional offer. So, as a result, the disclosure of an individual's entire medical record to an employer is lawful under HIPAA. It's illegal in California and Minnesota, that have specific statutes that address this issue, but in the other 48 states, it's lawful. And so, therefore, HIPAA really doesn't help things. HIPAA will prevent the wrongful disclosure without an authorization, but as long as there was a valid authorization signed, there would not be a problem.
Meeting transcript, HHS, National Committee on Vital Health Statistics (June 24, 2003), available at http://www.ncvhs.hhs.gov/030624tr.htm.
(74.) See, e.g., Kathleen Dracup & Christopher Bryan-Brown, Editorial, The Law of Unintended Consequences, 13 AM. J. CRITICAL CARE: 97, 98 (2004). Dracup and Bryan-Brown state:
Horror stories are appearing in the literature, warning of unintended consequences. For example, a recent letter to the editor in the New England Journal of Medicine describes a situation in which a patient underwent cardiac transplantation. Postoperatively, routine blood cultures on the patient revealed a bacteremia. The infectious disease specialist at the recipient's hospital contacted the donor's hospital to ascertain the identity of the infection so that immediate antibiotic treatment could be initiated for the (now immunosuppressed) patient. The donor's hospital refused to release the information, citing HIPAA regulations and policies, because the (now deceased) donor had not given authorization for release of PHI.
(75.) Id.; see also Radly Balko, The Barriers Don't Exist, TECH CEN CEN - Conseil Européen pour la Normalisation.
A body coordinating standardisation activities in the EEC and EFTA countries. . STATION, June 4, 2004 (discussing the reluctance of insurers to price according to individual risk based on the false perception that federal regulations prohibit them from doing so), available at http://www.techcentralstation.com/060404H.html.
(76.) 45 C.F.R. [section] 164.510(a)(2).
(77.) See Laurie Tarkan, Sorry, That Information is Off Limits: A Privacy Law's Unintended Results, N.Y. TIMES, June 3, 2002, at F5: see also Jack Rovner et al., Managing the Privacy Challenge." Compliance with the Amended HIPAA Privacy Rule, 15 HEALTH L. 18, 28-29 (2002): Yolanda Woodlee, Hospital Bill is Family's Only Clue: Relatives Weren't Notified of Md. Man's Hit-and-Run Death, WASH. POST, Jan. 20, 2004, at B5.
(78.) See Judith Graham, Privacy Law a Bitter Pill, CHI. TRIB TRIB Tributary
TRIB Tire Retread Information Bureau
Trib Chicago Tribune Newspaper
TRIB Transfer Rate of Information Bits (ANSI formula for calculating throughput)
TRIB Transmission Rate of Information Bits ., Apr. 13, 2004, at 1.
(79.) See Joseph Slobodzian, Judge Upholds Changes to Medical-Privacy Law. PHILADELPHIA INQUIRER Philadelphia Inquirer
Morning newspaper, long one of the most influential dailies in the eastern U.S. Founded in 1847 as the Pennsylvania Inquirer, it took its present name c. 1860. It was a strong supporter of the Union in the American Civil War. , Apr. 3. 2004. at A12 ("Patients may refuse to sign the HIPAA form, but patient advocates argue that option is practically meaningless. Since the rule, advocates say, most doctors or medical providers refuse to assume civil and criminal liability for wrongly disclosed patient information and require patients to sign before they provide care.").
(80.) See Spencer, supra note 1, at 870-71.
(81.) See Cate, supra note 1, at 38.
(82.) Twight, Prying Eyes, supra note 72.
(83.) See infra text accompanying notes 97-102.
(84.) 45 C.F.R. [section] 162.
(85.) See Charlotte Twight. Health and Human Services Noun 1. Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979
Department of Health and Human Services, HHS "Privacy" Standards." The Coming Destruction of American Medical Privacy, 6 INDEP. REV. 485, 486-88 (2002) [hereinafter Twight, Health and Human Services].
(86.) See Spencer, supra note l. at 868.
(89.) See 64 F.R. 59,918, 59,921 (1999).
(90.) Twight, Health and Human Services, supra note 85, at 486.
(91.) Id. at 490.
(92.) Id. at 488.
(93.) See COCHRAN, supra note 46, at 3-4 (comparing HHS' estimates with independent cost estimates of $4 billion and $1.8 billion respectively, with a total long-run cost of roughly $30 billion).
(94.) Id. at 2.
(95.) Id. at 3.
(96.) Id. at 4.
(97.) See Cass Sunstein, Privacy and Medicine: A Comment. 30 J. LEGAL STUD. 709, 713-24 (2001).
A serious danger is that a system designed to protect privacy, even in the way that is most sensible, might impose costs in excess of benefits, simply because it is so hard to manage. Time and effort are scarce commodities and far from trivial concerns. But the more important problem is that a burdensome system for the protection of privacy could undermine patient care itself, not least by making it more expensive.
(98.) See Peter Dizikes, Tech Firms See New Medical Privacy Rules as Boon (May 10, 2001), at http://abcnews.go.com/sections/basiness/dailynews/medicalimaging010510.html (last visited Oct. 20, 2004); Sandeep Junnarker, Law Prescribes Overhaul of Aging System, (June 16, 2003), at http://news.com.com/2030-6681_3-1001641.html?tag= vs4_toc (last visited Oct. 20, 2004).
(99.) See, e.g., Jessica M. Lewis, HIPAA: Demystifying the Implications for Financial Institutions, 8 N.C. BANKING INST. 141, 156 n.133 (2004) (noting that Bank One gained a competitive edge by advertising itself as the first bank to become Claredi certified).
(100.) See Arnold Rosenbaum, HIPAA Liability More than Meets the Eye More Than Meets the Eye was the three-part series premiere for the 1984 cartoon The Transformers. The three-part pilot was originally known simply as The Transformers , HEALTH-IT WORLD (Nov, 13, 2003), at http://www.imakenews.com/health-itworld/e_article000 200880.cfm (last visited Oct. 20, 2004).
(101.) See HENRY HAZLITT Henry Hazlitt (November 28, 1894 – July 8, 1993) was a libertarian philosopher, economist, and journalist for The Wall Street Journal, The New York Times, Newsweek, and The American Mercury, among other publications. , ECONOMICS IN ONE LESSON 17 (3rd ed. 1978) ("The art of economics consists in looking not merely at the immediate but at the longer effects of any act or policy; it consists in tracing the consequences of that policy not merely for one group but for all groups.").
(102.) See Epstein, HIPAA on Privacy, supra note 41, at 15-16.
(103.) Tarkan, supra note 81; see also John Eggertsen et al., HIPAA Privacy, Regulations: A Summary, SH078 ALI-ABA 29, 68 (2003).
(104.) Tarkan, supra note 81.
(105.) See American College of Epidemiology The American College of Epidemiology (ACE) is an American organization incorporated in 1979 to support and promote the work of American epidemiologists. It is based in Raleigh, North Carolina. External links
(106.) See Lynne Glover, Conducting Clinical Trials Made More Difficult by New Privacy Regs, PITTSBURGH BUS. TIMES. June 6, 2003; see also Epstein, HIPAA on Privacy, supra note 41, at 18.
(107.) HHS has included certain exceptions for public health related activities. For a detailed discussion, see generally Diana M. Bonta et al., The HIPAA Privacy Rule: Reviewing the Post-Compliance Impact on Public Health Practice and Research, 31 J.L. MED. & ETHICS 70, 70-72 (2003).
(108.) See infra notes 121-23 and accompanying text.
(109.) See Lewis, supra note 99, at 141.
(110.) See 45 C.F.R. [section] 164.502.
(111.) Jennifer Guthrie, Time Is Running Out--The Burdens and Challenges of HIPAA Compliance: A Look at Preemption Analysis, the 'Minimum Necessary' Standard, and the Notice of Privacy Practices, 12 ANNALS HEALTH L. 143, 158 (2003).
(112.) Id. at 160.
(113.) Id. at 159; see also Epstein, HIPAA on Privacy, supra note 41, at 25.
(114.) See S.C. Med. Ass'n v. Thompson, 327 F.3d 346, 355 (4th Cir. 2003).
(115.) See generally Guthrie, supra note 111, at 159-68.
(116.) See general@ J.S. Christie, Jr., The HIPAA Privacy Rules From a Litigation Perspective, 64 ALA. LAW. 126, 132 (2003).
(117.) See 45 C.F.R. [section] 160.203 (2001).
(118.) See generally Bishop, supra note 26, at 723.
(119.) See, e.g., Law v. Zuckerman, 307 F. Supp. 2d 705, 709 (D. Md. 2004) (finding preclusion where HIPAA is "more stringent" than Maryland's disclosure regulation): Nat'l Abortion Fed'n v. Ashcroft, No. 04 C 55, 2004 WL 292079, at *3 (N.D. Ill. Feb. 6, 2004) (stating that Illinois law supercedes HIPAA where state law has more restrictive disclosure requirements, even with a court ordered subpoena subpoena (səpē`nə) [Lat.,=under penalty], in law, an order to a witness to appear before a court. A subpoena ad testificandum [Lat. ): Lemieux v. Tandem Health Care, 862 So.2d 745, 748 n.1 (Fla. Dist. Ct. App. 2003) (noting in dicta Opinions of a judge that do not embody the resolution or determination of the specific case before the court. Expressions in a court's opinion that go beyond the facts before the court and therefore are individual views of the author of the opinion and not binding in subsequent cases that Florida substantive law The part of the law that creates, defines, and regulates rights, including, for example, the law of contracts, torts, wills, and real property; the essential substance of rights under law. is more stringent than HIPAA on the issue of disclosure and thus Florida law The jurisprudence of this state offers major differences from doctrines prevailing in the United States at either the federal level or that of the various states.
Homestead exemption from forced sale, the dangerous instrumentality doctrine, the right to privacy, and the Williams supercedes the less protective federal regulations, even though HIPAA's procedural requirements are more stringent).
(120.) See Guthrie, supra note 111, at 155: Brian Zoeller, Health and Human Services' Privacy Proposal: A Failed Attempt at Health Information Privacy Protection, 40 BRANDEIS L.J. 1065, 1081 nn.90-91 and accompanying text.
(121.) See Peter A. Winn, Confidentiality in Cyberspace Coined by William Gibson in his 1984 novel "Neuromancer," it is a futuristic computer network that people use by plugging their minds into it! The term now refers to the Internet or to the online or digital world in general. See Internet and virtual reality. Contrast with meatspace. : The HIPAA Privacy Rules and the Common Law, 33 RUTGERS L.J. 617, 618 (2002).
(122.) Id. at 652-58.
(123.) Id. at 662-65.
(124.) See Lori Baer & Christiana Callahan, The Impact of HIPAA Privacy Regulations on Discovery of Plaintiff's' Medical Records, 12 LJN's PROD prod
a prod to make animals move or move faster. Ranges from a pointed stick to an electric instrument. The electrically powered units may be battery-powered or operate off mains power, most suited to use in a fixed location such as an abattoir, or a portable model with a small . LIAB LIAB Liability
LIAB Life Is A Bitch
LIAB Lisp in A Box . L. & STRATEGY 1 (2003).
(125.) See Alexander Gareeb, Practical Implications of HIPAA, 27 L.A. LAW L.A. Law was an American television legal drama that ran from 1986 to 1994. It was one of the most popular American television shows of the late 1980s and early 1990s. As with thirtysomething, L.A. 12 (2004).
(126.) See Cate, supra note 1, at 37: Mike Koetting, The Regulation of Managed Care Organizations and the Doctor-Patient Relationship doctor-patient relationship,
n in-teraction between a physician and a patient. , 30 J. LEGAL STUD. 703, 703-04, 707 (2001).
(127.) See supra text accompanying note 8.
(128.) See also Epstein, HIPAA on Privacy, supra note 41, at 22-24 (discussing the public choice problems of HIPAA and the difficulties of reversing bureaucratic bu·reau·crat
1. An official of a bureaucracy.
2. An official who is rigidly devoted to the details of administrative procedure.
(129.) See supra notes 57-68 and accompanying text.
(130.) See supra notes 43-49 and accompanying text.
(131.) See supra notes 59-69 and accompanying text.
(132.) Cate, supra note 1, at 53.
(133.) Sunstein, supra note 97, at 710.
(134.) See Epstein, HIPAA on Privacy, supra note 41, at 20.
(135.) Sunstein suggests physician norms may be the best place to begin. See Sunstein, supra note 97, at 710.
(136.) See supra notes 25-26 and accompanying text.
(137.) See Epstein, HIPAA on Privacy, supra note 41, at 14.
The former [pre-HIPAA] world should not be treated as though it were the state of nature, in which no one knew about privacy or cared about the consequences that might flow from the inopportune release of information. Quite the opposite, the tradeoffs between the control of information and the need for its dissemination into different arenas did not first surface in 1995 or 1996. Rather, it has long been at the center of the discussion for research protocols used by physicians, hospitals, and research centers. The protection of medical records was always a big deal, one that was subject to regulation as well as contract.
(138.) See. e.g., Jacobson, supra note 4, at 1506; cf Sunstein, supra note 97, at 709-10.
(139.) See generally FRIEDRICH HAYEK Friedrich August von Hayek, CH (May 8, 1899 in Vienna – March 23, 1992 in Freiburg) was an Austrian-British economist and political philosopher known for his defence of classical liberalism and free-market capitalism against socialist and collectivist thought in the mid-20th , INDIVIDUALISM AND ECONOMIC ORDER 7791 (1996).
(140.) See generally, Bruce Kobayashi & Larry Ribstein, A Recipe for Cookies: State Regulation of Consumer Marketing Information, at 1, 23-25, 36-38 (Prepared for the American Enterprise Institute The American Enterprise Institute for Public Policy Research (AEI) is a conservative think tank, founded in 1943. According to the institute its mission "to defend the principles and improve the institutions of American freedom and democratic capitalism — limited government, , Federalism federalism.
1 In political science, see federal government.
2 In U.S. history, see states' rights.
Political system that binds a group of states into a larger, noncentralized, superior state while allowing them Project Roundtable on Internet Privacy Internet privacy consists of privacy over the media of the Internet: the ability to control what information one reveals about oneself over the Internet, and to control who can access that information. , January 30, 2001) (discussing the advantages of state versus federal regulation in the context of consumer information privacy), available at http://www.gmu.edu/departments/law/faculty/papers/docs/01-04.pdf.
Meredith Kapushion, J.D. candidate, May 2005, Fordham University School of Law Fordham University School of Law (commonly known as Fordham Law or Fordham Law School) is a part of Fordham University in the United States. The School is located in the Borough of Manhattan in New York City, and is one of eight ABA-approved law schools in that city. ; B.A., Economics and Philosophy, Hillsdale College As of 2006, Hillsdale's student body consists of 1,300 students, almost evenly divided on the basis of sex, with slightly more females enrolled than males. The college currently has more than 100 full-time faculty members and offers a variety of liberal arts majors, pre-professional , 1999. The author acknowledges the contributions and support of Karol Boudreaux, Jay Cochran, and Susan Dudley Susan E. Dudley (born May 27, 1955), an American academic and a political appointee in the administration of George W. Bush. Dudley was appointed by Bush in April, 2007, via a recess appointment to be Administrator of the Office of Information and Regulatory Affairs (OIRA), Office at The Mercatus Center The Mercatus Center at George Mason University is a market-oriented research, education, and outreach organization that works with policy experts, lobbyists, and government officials to connect academic learning and real world practice. , George Mason University Named after American revolutionary, patriot and founding father George Mason, the university was founded as a branch of the University of Virginia in 1957 and became an independent institution in 1972. .