The medical privacy provisions of the Health Insurance Portability and Accountability Act of 1996 undermine our ability to get an accurate assessment of the costs and benefits of information disclosure.
HIPAA contains an ostensibly innocuous command that only “relevant” information can be disclosed. But it offers no definition of what information counts as relevant in cases of medical uncertainty.
Let’s take a very simple case: Say somebody who has medical records on file at a hospital in Illinois is involved in an automobile accident in Ohio. Which medical records does the Illinois hospital send to Ohio?
Now, if it is my body, I say send the whole file fast. I don’t want anything to be left out, because I don’t know what the physicians in Ohio will regard as relevant. But somebody in Illinois may say, well, he only broke his arm, so we’ll send only the arm-related information. That could take an hour to figure out, and in the interim I’m dead because the Ohio hospital didn’t get even that limited information in a timely fashion.
Apparently we’re supposed to tolerate this type of mistake in a welfare state, because we understand that the government’s motives are benevolent even if the consequences of its actions are unfortunate!
“Minimum Necessary Disclosure”
Such risks are real.
Suppose that I am taking a leg medicine, which means that if you give me a certain arm medicine you’re going to harm or kill me. I would rather trust the physician on the spot to look at the entire medical record and figure out what potential interactions to guard against than to have somebody, no matter how able, try to decide at the point of release what information to forward.
I would hate to go into the operating room and hear, “Well, when you were in the emergency room, we didn’t think surgery would be likely, so only this information was necessary; now we’ve got to request an urgent update with more information” . . . subject, perhaps, to the same mischievous relevancy constraints.
Again, time turns out not only to be money but to influence the odds of survival. My own judgment is that anyone who runs the error calculations will quickly lurch to the optimal solution: The emergency room doctor gets everything, but only for restricted uses related to my well-being; he cannot turn around and sell my records to a soap vendor the next day.
That’s exactly the way business was done before HIPAA. At that time, nobody used a “minimum necessary disclosure” requirement—precisely because full information is likely to minimize errors in decisions made under conditions of uncertainty. It makes no sense to spend time and effort to shrink the flow of information.
Expanding Spheres of Influence
A second troubling feature of HIPAA is how it works to extend the sphere of its own influence.
The original mandate under HIPAA covered some, but not all, provider operations. What the regulators manage to do is stipulate that any covered entity who provides a medical record to a person or firm—even if that person or firm is not part of the HIPAA umbrella—must require, by contract, that person or firm to observe all the HIPAA requirements. And so mandatory contracts become the weapon of choice to expand government power, when in fact there has been no clear delegation of authority.
There is something deeply troubling about these developments because of their Orwellian use of language. The mantra behind HIPAA’s privacy regulations is consent—an honorable theme for those who care about liberty. But in this instance, the rules in fact use the “consent” label to disguise coercion. The key strategy: All individuals are required to give consent, not comprehensively, but for each separate transaction.
What the regulations do is create a system in which each of us is required to exercise, repeatedly and against our own will, this right to permit others to use information about us. But we cannot waive the protections of the act that require individual consent to be given by putting on the Internet a form that says, “Doc, use whatever records you want in the way that you think best, in accordance with the common practice of your institution.”
Salami Health Care
Putting all the pieces together, what is going on here?
The single largest and most ambitious power grab in the history of American health care was the proposed Clinton Health Security Act, which failed in 1994. Essentially, that bill was an effort to create a massive regulatory apparatus to control, either directly or indirectly, the provision of all private forms of health care.
It failed, so HIPAA continued the search for government control by the salami tactic: Take control of the industry one slice at a time. And here the move to disarm the opposition is to announce that government insists on the various sorts of restrictions to protect against pervasive market failures in the private sector. Once those regulations are imposed, of course, the system will not be able to respond to the challenges it faces without incurring additional costs for few, if any, benefits.
The upshot is that the health system will creak even further. That further decline will in turn justify further forms of regulation, and then, by the time we are done, this hodgepodge system of market-cum-regulation will be deemed unworkable . . . so that the only sensible solution is in fact single-payer nationalized medicine.
Richard A. Epstein is an adjunct scholar at the Cato Institute and professor at the University of Chicago Law School and Hoover Institution. This essay is excerpted from his luncheon address on July 31 to a day-long Cato conference, “Making a Federal Case Out of Health Care.