It didn’t make any headlines, but in September this year as many as two million more firms became subject to HIPAA regulation. That’s the law, originally passed in 1996, that mandates the Department of Health and Human Services (HHS) to write and enforce regulations dealing with health-data privacy. It takes HHS 138 pages in The Federal Register to spell out the bad news.
Whenever your doctor’s front office asks you to sign a gobbley-gook form saying something about using your personal information, that’s HIPAA in action. Don’t ask what they do with the form. If you’ve ever had a relative or friend in the hospital and tried to find out what’s going on, you probably waded into the HIPAA swamp.
Million dollar fines. This is the law that resulted in a fine of $1.5 million on Blue Shield of Tennessee to settle a case involving theft of hard drives left in a network data closet after the insurer had moved its staff out of an office complex. It cost the insurer WellPoint $1.7 million for not making its electronic patient records more difficult to access. Check out an HHS website page for further horror stories.
This is the law that drives medical researchers nuts. Consider the conclusion of a recent survey by leading cancer researchers:
The protocols required to meet HIPAA privacy standards have subjected clinical trial enrollees to burdensome paperwork and added thousands of hours and hundreds of thousands of dollars to the time and costs of individual studies, taking limited resources away from clinical cancer research.
In some trials, insufficient resources to manage these protocols have led to the abandonment of studies all together, undermining the trust that clinical researchers have worked to establish with clinical trial participants. Now the law is being expanded to put at risk most of the accountants, suppliers, and consultants who provide services to the health care industry – about two million entities in all.
HHS estimates the costs of implementing the new regulations will be on the order of $225 million (only $112 for each affected firm??), but begs off trying to estimate the benefits due to “lack of data and the impossibility of monetizing the value of individuals’ privacy and dignity.”
What was the problem? HIPAA’s health-data provisions are a classic example of legislators and a law gone amok. Why should it be a federal government responsibility to dictate how medical practitioners and hospitals manage the flow of information between patients, their families, and researchers?
As Richard Epstein, Distinguished Service Professor of Law at the University of Chicago has argued so cogently,
Before HIPAA, no [patient] consent was necessarily required as a matter of law, although some consent might have been required for internal purposes … The default position thus favored the free flow of information within customary channels. The question of breach was handled less by a system of ex ante regulation and more by a variety of sanctions imposed after the fact. Actions for breach of fiduciary duty, invasion of privacy, intentional infliction of emotional distress, medical malpractice, and defamation could be brought, along with various actions for breach of civil and criminal statutes …the small incidence of their use is a telltale sign that this kind of system was working about as well as could be expected.
As with a good deal of Federal regulation, part of the impetus behind HIPAA was the desire by big players in the healthcare industry to replace multiple state regulatory regimes with a single federal dictat instead of 50 separate versions.
But plenty of effective industry-wide protocols have emerged with little if any federal government intervention. Consider Underwriters Laboratory (UL), founded in 1894. It emerged in response to the numerous safety issues that arose when the new and occasionally dangerous technology of electric power and lighting was being introduced throughout the U.S. Today, UL is still going strong. The Uniform Commercial code, which harmonizes many state laws dealing with commercial activity, is another important example.
A massive paperwork enterprise. Trying to impose a top-down “one size fits all” set of medical condition disclosure rules on millions of patients, doctors and researchers flies in the face of the complexity of the real world, particularly one in which communications technology is changing rapidly and internet hackers abound.
The soft, suffocating embrace of the regulatory state marches on, diverting energies from healing and medical research into a massive paperwork enterprise and adding unnecessary millions (billions?) of dollars to the nation’s healthcare bill.
A case for tribunes. What we need are fewer issue entrepreneurs in Congress and more thoughtful, principle-based “tribunes” - guarantors of civil liberties and property rights against arbitrary state power.