Charlotte Twight
Monday, Aug. 5, 2002

Editor's note: This is part one of an article on how federal regulations that purportedly protect medical privacy have in fact done the opposite.

Federal privacy regulations issued by the Clinton administration on Dec. 28, 2000, and adopted by the Bush administration on April 14, 2001, perpetrate a fraud on the American people, proclaiming privacy as their goal when ever-wider access to individual medical records is their actual and intended effect.

In this article, I document the stark contrast between what Americans want and what they are getting from the federal government with respect to medical privacy, examining how and why that incongruity emerged.

Recently, the high value that ordinary Americans place on medical privacy was shown in a September 2000 Gallup poll sponsored by the Institute for Health Freedom, in which the respondents strongly opposed unauthorized access to medical records. Seventy-eight percent regarded the protection of the confidentiality of their medical records as "very important"; 91 percent opposed government-mandated medical identification numbers; and 88 percent opposed storing patient medical records in a national computerized database for use without the patient's permission.

Questioned about who should be allowed to see individuals' medical records without their consent, 92 percent of the respondents opposed access by government agencies, 88 percent by law enforcers ("police or lawyers"), 95 percent by banks, 84 percent by employers, and 67 percent by medical researchers. Fully 95 percent agreed that doctors and hospitals should be required to obtain an individual's permission before storing his medical records in a national computerized database (Gallup Organization 2000).

The Public Betrayed

Ironically, unbeknown to the majority of respondents, most of the threats to medical privacy mentioned in the Gallup survey had already been either enacted into law or proposed as part of regulatory efforts to implement existing law. Yet only 16 percent of those surveyed had heard of new federal laws and regulations changing the rules regarding access to personal medical records, and 87 percent were not aware of a "federal proposal to assign medical identification numbers, similar to a social security number, to you and all other Americans to create a national database of medical records" (Gallup Organization 2000, 8, 12-13).

However, the laws were already on the books, and their implementation was accelerating. In April 2001, federal regulations adopted in the name of medical privacy further expanded access to individually identifiable medical records, without patient permission, by some of the very groups whose unauthorized access Americans most strongly oppose. How did this widely opposed result come about?

'Administrative Simplification'
and the Erosion of Medical Privacy

The federal legislation underlying the new regulations is part of the Health Insurance Portability and Accountability Act (HIPAA), commonly known as the Kennedy-Kassebaum bill (Public Law 104-191, Aug. 21, 1996). Enacted in 1996 with virtually no opposition, HIPAA seemed to foreshadow only good things - at least, it did so if one listened only to government officials and to the popular press. Members of Congress, the president and the news media repeatedly emphasized HIPAA's appealing objectives, chief among them reduction of the "job lock" that tied many workers to their existing employment for fear of losing insurance coverage if they switched jobs.

Prior to HIPAA's passage, however, lawmakers and the press seldom told the public about the act's more ominous side - privacy-threatening provisions buried in a section entitled "Administrative Simplification," which included some of the most feared elements of the rejected 1993 Clinton health security bill.

Hillary's National ID Nightmare Returns

Copied almost verbatim from the 1993 bill were HIPAA's requirements for uniform electronic databases of personal medical information nationwide and for the creation of a "unique health identifier" for every American. The 1996 act empowered the federal government, at its discretion, to require detailed information on what lawmakers called "encounters" between doctors and patients.

The secretary of the U.S. Department of Health and Human Services (HHS) was to adopt standards to enable "health information" that is, everything a doctor, employer, university, or life insurer ever learns about an individual - "to be exchanged electronically." The legislation aimed to create a "health information system" through the "establishment of standards and requirements for the electronic transmission of certain health information" by medical practitioners (Public Law 104-191, Title II). The issuance of privacy regulations to protect this new electronic flow of personally identifiable medical information was not required until three and a half years after the passage of HIPAA.1

Yet dissent - or even attention to these provisions - scarcely arose.

In the winter 1998 issue of The Independent Review, I analyzed HIPAA's privacy-threatening provisions and showed that provisions related to a medical ID number and to an electronic database - along with broad new civil and criminal punishments potentially applicable to honest doctors acting in the best interest of their patients - gained passage by means of the same political tactics that had facilitated enactment of the original Medicare law in 1965 (Twight 1998).

Misrepresentation and Manipulation

Misrepresentation, the tying of unpopular measures to popular ones, incrementalism, and other forms of political transaction-cost manipulation were as instrumental in 1996 as they had been in 1965. It was emblematic of these strategies that the electronic database and health-identifier provisions were tucked in the back of the law under the rubric "administrative simplification."

These statutory provisions have spawned an outpouring of new regulations that will soon destroy our medical privacy. The same tactics that spawned Medicare and HIPAA are being employed again in the regulatory implementation phase of HIPAA.

Congress did not formulate the medical privacy standards that took effect in April 2001. Instead, it delegated that responsibility, along with other duties under HIPAA, to HHS. Between 1996 and 2000, HHS released HIPAA-based regulatory packages one by one: hundreds of pages of proposed rules, explanations of proposed rules, responses to public comments on proposed rules, preliminary releases of final rules, actual final rules, explanations of final rules, and much else.

The HHS fine print fills a stack of paper already more than 9 inches high and still growing, unapproachable and surely indecipherable by the average citizen.

Next: national ID.

Footnote
1. "If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by the date that is 36 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act" (HIPAA, Public Law 104-191, Aug. 21, 1996, sec. 264c). Congress did not pass legislation establishing such privacy standards, so the task fell to HHS.

This article is adapted with permission of the publisher from the article "Health and Human Services 'Privacy' Standards: The Coming Destruction of Medical Privacy," by Charlotte Twight, in The Independent Review: A Journal of Political Economy (Spring 2002, vol. VI, no. 4, p. 485-511). © Copyright 2002, The Independent Institute, 100 Swan Way, Oakland, Calif. 94621-1428; http://www.independent.org.

Charlotte Twight is a professor of economics at Boise State University.

A product that might interest you:
Shocking Details of Bill and Hillary’s "Final Days"
Read more on this subject in related Hot Topics:
Bush Administration
Clinton Scandals
Health Issues
Media Bias
Privacy
Sen. Hillary Clinton

Back