The story of the HIPAA privacy regulations is one of the best illustrations of
how crass and political federal policymaking can get. There are many reasons to
lack confidence in the regulations because of the way they were formulated.
Congress enacted the HIPAA law, punting on its
time, the 1996 presidential election was looming. The HIPAA law called for privacy
recommendations to come exactly twelve months later, from a Department of Health
and Human Services controlled by the election's winner. The next President could
veto any legislation, ensuring that the regulations would come from an
HHS he controlled, rather than from Congress. So, instead of seeking an educated consensus, Republican and
election race between Bill Clinton and Bob Dole. Democrats won the bet.
One of the terms of that bet was that the Department of Health and Human
Services would issue privacy regulations (if Congress failed to act) "not later than"
42 months after HIPAA was enacted. Accordingly, regulations would have been issued
in December 1999, less than a year before the presidential election of 2000.
This timing is important, because the party that won the original HIPAA bet would
still have to answer to voters in the 2000 election, an important restraint on what
would come out of the process.
The Clinton Administration's HHS welshed on this part of the bet, and did not
issue the HIPAA privacy regulations until December 2000 — just after
the election contest between George W. Bush and Al Gore. This allowed the
Clinton Administration to issue privacy regulations that did not create a
political risk for the Democratic party's candidate.
Though one can never know whether it changed the substance of the regulation,
this timing sheltered the Administration and the political party responsible for
the regulations from accountability — no small irony given that this was a product
of the Health Insurance Portability and Accountability Act.
This does not make heroes of Republicans. Both parties deserve substantial
result of consensus among elected representatives in Congress, and the approval of
the President. The HIPAA privacy regulations have none of these elements.