NRPM: Standards for Privacy of Individually Identifiable Health Information. C. Need for the Proposed Action.


Privacy is a fundamental right. As such, it has to be viewed differently than any ordinary economic good. Although the costs and benefits of a regulation need to be considered as a means of identifying and weighing options, it is important not to lose sight of the inherent meaning of privacy: it speaks to our individual and collective freedom.

A right to privacy in personal information has historically found expression in American law. All fifty states today recognize in tort law a common law or statutory right to privacy. Many states specifically provide a remedy for public revelation of private facts. Some states, such as California and Tennessee, have a right to privacy as a matter of state constitutional law. The multiple historical sources for legal rights to privacy are traced in many places, including Chapter 13 of Alan Westin's Privacy and Freedom and in Ellen Alderman & Caroline Kennedy, The Right to Privacy (1995).

To take but one example, the Fourth Amendment to the United States Constitution guarantees that "the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated." By referring to the need for security of "persons" as well as "papers and effects" the Fourth Amendment suggests enduring values in American law that relate to privacy. The need for security of "persons" is consistent with getting patient consent before performing invasive medical procedures. The need for security in "papers and effects" underscores the importance of protecting information about the person, contained in sources such as personal diaries, medical records, or elsewhere. As is generally true for the right of privacy in information, the right is not absolute. The test instead is what constitutes an "unreasonable" search of the papers and effects.

The United States Supreme Court has specifically upheld the constitutional protection of personal health information. In Whalen v. Roe, 429 U.S. 589 (1977), the Court analyzed a New York statute that created a database of persons who obtained drugs for which there was both a lawful and unlawful market. The Court, in upholding the statute, recognized at least two different kinds of interests within the constitutionally protected "zone of privacy." "One is the individual interest in avoiding disclosure of personal matters," such as this proposed regulation principally addresses. This interest in avoiding disclosure, discussed in Whalen in the context of medical information, was found to be distinct from a different line of cases concerning "the interest in independence in making certain kinds of important decisions." In the recent case of Jaffee v. Redmond, 116 S.Ct. 1923 (1996), the Supreme Court held that statements made to a therapist during a counseling session were protected against civil discovery under the Federal Rules of Evidence. The Court noted that all fifty states have adopted some form of the psychotherapist-patient privilege. In upholding the federal privilege, the Supreme Court stated that it "serves the public interest by facilitating the appropriate treatment for individuals suffering the effects of a mental or emotional problem. The mental health of our citizenry, no less than its physical health, is a public good of transcendent importance."

Many writers have urged a philosophical or common-sense right to privacy in one's personal information. Examples include Alan Westin, Privacy and Freedom (1967) and Janna Malamud Smith, Private Matters: In Defense of the Personal Life (1997). These writings emphasize the link between privacy and freedom and privacy and the "personal life," or the ability to develop one's own personality and self-expression. Smith, for instance, states:

The bottom line is clear. If we continually, gratuitously, reveal other people's privacies, we harm them and ourselves, we undermine the richness of the personal life, and we fuel a social atmosphere of mutual exploitation. Let me put it another way: Little in life is as precious as the freedom to say and do things with people you love that you would not say or do if someone else were present. And few experiences are as fundamental to liberty and autonomy as maintaining control over when, how, to whom, and where you disclose personal material. Id. at 240-241.

Individuals' right to privacy in information about themselves is not absolute. It does not, for instance, prevent reporting of public health information on communicable diseases or stop law enforcement from getting information when due process has been observed. But many people believe that individuals should have some right to control personal and sensitive information about themselves.

Among different sorts of personal information, health information is among the most sensitive. Many people believe that details about their physical self should not generally be put on display for neighbors, employers, and government officials to see. Informed consent laws place limits on the ability of other persons to intrude physically on a person's body. Similar concerns apply to intrusions on information about the person. Moving beyond these facts of physical treatment, there is likely a greater intrusion when the medical records reveal details about a person's mental state, such as during treatment for mental health. If, in Justice Brandeis' words, the "right to be let alone" means anything, then it likely applies to having outsiders have access to one's intimate thoughts, words, and emotions.

In addition to these arguments based on the right to privacy in personal information, market failures will arise to the extent that privacy is less well protected than the parties would have agreed to, if they were fully informed and had the ability to monitor and enforce contracts. The chief market failures with respect to privacy concern information, negotiating, and enforcement costs. The information costs arise because of the information asymmetry between the company and the patient -- the company typically knows far more than the patient about how the information will be used by that company. A health care provider or plan, for instance, knows many details about how protected health information will be generated, combined with other databases, or sold to third parties.

Patients face at least two layers of cost in learning about how their information is used. First, as with many aspects of health care, patients face the challenge of trying to understand technical medical terminology and practices. It will often be difficult for a patient to understand the medical records and the implications of transferring various parts of such records to a third party. Second, especially in the absence of consistent national rules, patients may face significant costs in trying to learn and understand the nature of a company's privacy policies.

The costs of learning about companies' policies are magnified by the difficulty patients face in detecting whether companies in fact are complying with those policies. Patients might try to adopt strategies for monitoring whether companies have complied with their announced policies. For instance, if a person received health care from several providers that promised not to sell her name to third parties, she could report a different middle initial to each provider. She could then identify the provider that broke the agreement by noticing the middle initials that later appeared on an unsolicited marketing letter. These sorts of strategies, however, are both costly (in time and effort) and likely to be ineffective. A company using the patient's name, for instance, could cross-check her address with her real name, and thereby insert the correct middle initial. In addition, modern health care often requires protected health information to flow legitimately among multiple entities for purposes of treatment, payment, health care operations, and other necessary uses. Even if the patient could identify the provider whose data ultimately leaked, the patient could not easily tell which of those multiple entities had impermissibly transferred her information.

The cost and ineffectiveness of monitoring logically leads to less than optimal protection of health information. Consider the incentives facing a company that acquires protected health information. That company gains the full benefit of using the information, including in its own marketing efforts or in the fee it can receive when it sells the information to third parties. The company, however, does not suffer the full losses from disclosure of protected health information. Because of imperfect monitoring, customers often will not learn of, and thus not be able to enforce against, that unauthorized use. They will not be able to discipline the company efficiently in the marketplace for its less-than-optimal privacy practices. Because the company internalizes the gains from using the information, but does not bear a significant share of the cost to patients (in terms of lost privacy), it will have a systematic incentive to over-use protected health information. In market failure terms, companies will have an incentive to use protected health information where the patient would not have freely agreed to such use.

These difficulties in contract enforcement are made worse by the third-party nature of many health insurance and payment systems. Even where individuals would wish to bargain for privacy, they may lack the legal standing to do so. For instance, employers often negotiate the terms of health plans with insurers. The employee may have no voice in the privacy or other terms of the plan, facing a take-it-or-leave-it choice of whether to be covered by insurance. The incentive of employers may be contrary to the wishes of employees -- employers may in some cases inappropriately insist on having access to sensitive medical information in order to monitor employees' behavior and health status. In light of these complexities, there are likely significant market failures in the bargaining on privacy protection. Many privacy-protective agreements that patients would wish to make, absent barriers to bargaining, will not be reached.

The economic, legal and philosophical arguments become more compelling as the medical system shifts from predominantly paper to predominantly electronic records. From an economic perspective, market failures will arise to the extent that privacy is less well protected than the parties would have agreed to, if they were fully informed and had some equality of bargaining power. The chief market failures with respect to privacy concern information and bargaining costs. The information costs arise because of the information asymmetry between the company and the patient -- the company typically knows far more than the patient about how the information will be used by that company. A health care provider or plan, for instance, knows many details about how protected health information will be generated, combined with other databases, or sold to third parties.

Rapid changes in information technology mean that the size of the market failures will likely increase greatly in the markets for personal health information. Improvements in computers and networking mean that the costs of gathering, analyzing, and disseminating electronic data are plunging. Market forces are leading many medical providers and plans to shift from paper to electronic records, due both to lower cost and the increased functionality provided by having information in electronic form. These market changes will be accelerated by the administrative simplification implemented by the other regulations promulgated under HIPAA. A chief goal of administrative simplification, in fact, is to create a more efficient flow of medical information where appropriate. This proposed privacy regulation is an integral part of the overall effort of administrative simplification; it creates a framework for more efficient flows for certain purposes, including treatment and payment, while restricting flows in other circumstances except where appropriate institutional safeguards exist.

If the medical system shifts to predominantly electronic records in the near future, without use of accompanying privacy rules, then one can imagine a near future where clerical and medical workers all over the country may be able to pull up protected health information about individuals -- without meaningful patient consent and without effective institutional controls against further dissemination. In terms of the market failure, it will become more difficult for patients to know how their health provider or plan is using their personal health information. It will become more difficult to monitor the subsequent flows of protected health information, as the number of electronic flows and possible points of leakage both increase. Similarly, the costs and difficulties of bargaining to get the patients' desired level of use will likely rise due the greater number and types of entities that receive protected health information.

As the benefits section, below, discusses in more detail, the protection of privacy and correcting the market failure have practical implications. Where patients are concerned about lack of privacy protections, they might fail to get medical treatment that they would otherwise seek. This failure to get treatment may be especially likely for certain conditions, including mental health, substance abuse, and conditions such as HIV. Similarly, patients who are concerned about lack of privacy protections may report inaccurately to their providers when they do seek treatment. For instance, they might decide not to mention that they are taking prescription drugs that indicate that they have an embarrassing condition. These inaccurate reports may lead to mis-diagnosis and less- than-optimal treatment, including inappropriate additional medications. In short, the lack of privacy safeguards can lead to efficiency losses in the form of foregone or inappropriate treatment.

The shift from paper to electronic records, with the accompanying greater flows of sensitive health information, also strengthens the arguments for giving legal protection to the right to privacy in protected health information. In an earlier period where it was far more expensive to access and use medical records, the risk of harm to individuals was relatively low. In the potential near future, where technology makes it almost free to send lifetime medical records over the Internet, the risks may grow rapidly. It may become cost-effective, for instance, for companies to offer services that allow purchasers to obtain details of a person's physical and mental treatments. In addition to legitimate possible uses for such services, malicious or inquisitive persons may download medical records for purposes ranging from identity theft to embarrassment to prurient interest in the life of a celebrity or neighbor. Of additional concern, such services might extend to providing detailed genetic information about individuals, without their consent. Many persons likely believe that they have a right to live in society without having these details of their lives laid open to unknown and possibly hostile eyes. These technological changes, in short, may provide a reason for institutionalizing privacy protections in situations where the risk of harm did not previously justify writing such protections into law.

States have, to varying degrees, attempted to enhance confidentiality and correct the market problems by establishing laws governing at least some aspects of medical record privacy. This approach, though a step in the right direction, is inadequate. The states themselves have a patch quilt of laws that fail to provide a consistent or comprehensive policy, and there is considerable variation among the states in the scope of the protections provided. Moreover, health data is becoming increasingly “national”; as more information becomes available in electronic form, it can have value far beyond the immediate community where the patient resides. Neither private action nor state laws provide a sufficiently rigorous legal structure to correct the market failure now or in the future. Hence, a national policy with consistent rules is a vital step toward correcting the market failure that exists.

In summarizing the need for the proposed regulation, the discussion here has emphasized how the proposed regulation would address violations of a right to privacy in the information about oneself, market failures, and the need for a national policy. These arguments become considerably stronger with the shift from predominantly paper to predominantly electronic records. Other arguments could supplement these justifications. As discussed in the benefits section below, the proposed privacy protections may prevent or reduce the risk of unfair treatment or discrimination against vulnerable categories of persons, such as those who are HIV positive, and thereby, foster better health. The proposed regulation may also help educate providers, plans, and the general public about how protected health information is used. This education, in turn, may lead to better information practices in the future.

Clearly, the growing problem of protecting privacy is widely understood and a major public concern. Over 80 percent of persons surveyed in 1999 agreed with the statement that they had "lost all control over their personal information." A Wall Street Journal/NBC poll on September 16, 1999 asked Americans what concerned them most in the coming century. "Loss of personal privacy" topped the list, as the first or second concern of 29percent of respondents. Other issues such as terrorism, world war, and global warming had scores of 23percent or less. The regulation is a major step toward addressing this public concern.