When Congress in the HIPAA law asked the Department of Health and Human Services
to recommend standards with respect to the privacy of health information, it asked
three very difficult questions:
- What rights should the subject of individually identifiable health information have?
- What procedures should be established for the exercise of such rights? and
- What uses and disclosures of such information should be authorized or required?
HHS did not answer that first, absolutely critical question.
Instead, HHS put forward a document that cheered for broad legislation, never
explaining exactly what
privacy was, or what interest or right of consumers the
legislation would protect. This defect caused the HHS recommendations
to be intellectually rootless.
Had HHS analyzed the concept of privacy deeply, it may have recognized the very personal
and individual nature of the interest. Uncommon though it would have been for a federal
agency not to recommend command-and-control regulation, HHS may have found that
privacy is best protected by bolstering existing contract and tort rights, by
reducing government mandated collection of health information, and by educating
and empowering consumers to determine and pursue privacy as they see fit.
of Individually-Identifiable Health Information: Recommendations of the Secretary of
Health and Human Services, pursuant to section 264 of the Health Insurance Portability
and Accountability Act of 1996 (September 11, 1997)
Recommendations with Respect to Privacy of Certain Health Information,
Section 264 of the Health Insurance Portability and Accountability Act of 1996
(August 21, 1996)