Past Releases and Reports
About Privacilla
Privacy Fundamentals
Privacy and Government
Privacy and Business
Online Privacy
Financial Privacy
Medical Privacy
Report your thoughts to Privacilla!
Your Source for Privacy Policy from a Free-market, Pro-technology Perspective

Click to return to list of releases and reports

Home > Past Releases and Reports > Comments on the Health Insurance Portability and Accountability Act
March 30, 2001


U.S. Department of Health and Human Services
Attention: Privacy I
Room 801
Hubert H. Humphrey Building
200 Independence Avenue, SW.
Washington, DC 20201

Re: Final Rule, Request for Comments Published in the Federal Register on February 28, 2001

Standards for Privacy of Individually Identifiable Health Information

RIN 0991-AB08

To Whom It May Concern: is pleased to offer comments on the technical amendment to the final rule issued by the Department of Health and Human Services ("the Department") adopting standards for privacy of individually identifiable health information ("the HIPAA regulations" or "the regulations") published on December 28, 2000 in the Federal Register (65 Fed. Reg. 82462). is an online think-tank and "privacy policy portal" that attempts to capture privacy as a public policy issue from a free-market, pro-technology perspective. The site accepts comments, proposed topics, and other intellectual contributions from whomever in the interested public is willing to offer them. It summarizes hundreds of privacy topics and provides links to further commentary and source materials, giving users a wide array of resources in their explorations of the privacy issue. The project was developed in response to the poorly articulated policy discussion surrounding privacy. More information about is available on the Web site of the same name,

Privacilla appreciates and respects the dedication and hard work of the Department staff who prepared the recommendations that the Secretary submitted to Congress in 1997 and of the recently issued regulations. These efforts unfortunately did not overcome the baffling incoherence of the privacy issue as articulated so far in public debate. This incoherence dooms the regulations to increasing the cost and reducing the availability of health care while failing to address American patients’ legitimate privacy concerns.

The regulations should be withdrawn. Congress, rather than any Executive Branch agency, should decide in consultation with the President what the nature of any federal health privacy protection in the United States should be. These elected officials should make such decisions only after identifying exactly what privacy is, and how it is best protected. The first steps they should take are to stop governments from actively eroding the ability of patients to control health information. Careful study of the issue reveals that the true privacy interests of consumers can only be revealed and satisfied in the marketplace. This should be the focus of our nation’s health care and privacy policies.

The HIPAA "Process" Was Constitutionally Suspect and Crassly Political

As the Department must surely recognize, the regulations emerged from a whopping giveaway of legislative power by Congress. Congress’ abandoned its responsibility to make law in a way that can only be described as a scandalous betrayal of the sacred obligation Congress owes to the people who elect its Members.

The section of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") titled "Recommendations with Respect to Privacy of Certain Health Information" asked the Department to make recommendations to Congress about the privacy of individually identifiable health information. Congress asked what rights people should have with regard to such information, the procedures that should be used to enforce those rights, and the uses and disclosures of such information that should be authorized or required.

Asking a federal agency for recommendations is acceptable, but Congress went several steps further, inviting the Department to go ahead and write into law whatever the recommendations were if Congress did not act. When Congress failed to act, the Department created these regulations without any further legal guidance from the body of government directly and regularly accountable to the people.

Under the Supreme Court’s non-delegation doctrine, the HIPAA regulations are likely void. In an article for BNA’s E-Health Law & Policy Report, Washington, D.C. attorney William G. Schiffbauer has articulated their unconstitutionality in detail. Under long-time Supreme Court precedents such as Panama Refining Co. v. Ryan, 293 U.S. 388 (1935), and A.L.A. Schechter Poultry Corp. v. United States, 295 U.S. 495 (1935), as well as the recent Line-Item Veto case, Clinton v. City of New York, 524 U.S. 417 (1998), Congress can not give away its legislative authority. This rule against delegation requires elected officials in Congress to take responsibility for the federal government’s policies. It is a key protection for accountability and the democratic process.

In Loving v. United States, 517 U.S. 748 (1996) the Supreme Court held that statutes passed by Congress must set out an "intelligible principle" to guide courts and agencies. It is plainly impossible for the HIPAA law to meet even this low threshold because Congress asked the Department what the principles guiding health privacy should be. A delegation of authority phrased in the form of a question can not possibly have provided the Department an "intelligible principle" to follow.

The story of the HIPAA regulations is one of the best illustrations of how crass and political federal policymaking can get. There are many reasons to lack confidence in the regulations because of the way they were formulated.

When Congress enacted the HIPAA law, punting on its responsibility to address privacy itself, the 1996 presidential election was looming. The HIPAA law called for privacy recommendations to come exactly twelve months later, from a Department controlled by the election’s winner. The next President would have the power to veto any legislation, which ensured that the regulations would come from a Department he controlled, rather than from Congress. In other words, instead of seeking an educated consensus, Republicans and Democrats put federal privacy policy down as a bet on the election race between Bill Clinton and Bob Dole. Democrats won the bet.

One of the terms of that bet was that the Department would issue privacy regulations (if Congress failed to act) "not later than" 42 months after HIPAA was enacted. Accordingly, regulations would have been issued in December 1999, less than a year before the presidential election of 2000. This timing is important, because the party that won the original HIPAA bet would still have to answer to voters in the 2000 election, an important restraint on what would come out of the process.

For whatever reason, the Clinton Administration welshed on this part of the bet, and did not issue the HIPAA regulations until December 2000 — just after the election race between George W. Bush and Al Gore. This allowed the Clinton Administration to issue regulations that did not create a political risk for the Democratic party's candidate in the 2000 election.

Though no one can know how it changed the substance of the regulation — and Privacilla knows of no wrongdoing or bad faith by any party — even the most dedicated public servants respond to constraint or lack of constraint created by the political process. The timing of the HIPAA regulations sheltered the Administration and the political party responsible for them from accountability, likely affecting their content even in the absence of bad faith by any individual or group.

The unaccountability within the HIPAA process is no small irony given that this was a product of the Health Insurance Portability and Accountability Act. The results reflect the interests of politicians and bureaucrats, but do not reflect the interests of consumers and citizens who are best served when law-making is undertaken following ordinary, constitutional processes.

The HIPAA Process Was Further Doomed When HHS Failed to Articulate a Coherent Theory of Privacy

When Congress in the HIPAA law asked the Department to recommend standards with respect to the privacy of health information, it asked three very difficult questions:

  • What rights should the subject of individually identifiable health information have?
  • What procedures should be established for the exercise of such rights? and
  • What uses and disclosures of such information should be authorized or required?

The Department did not answer that first, absolutely critical question.

Instead, the Department put forward a document that cheered for broad legislation — never explaining exactly what privacy was or what interest or right of consumers the legislation would protect. This defect caused the Department’s recommendations to be intellectually rootless.

"Privacy" has yet to be fully developed as a legal concept — if it even is one. Trying to define privacy has tormented policymakers and advocates for years. Nonetheless, we offer tentative observations that may assist the Department.

One of the supremely dissatisfying assertions in the debate over privacy, for those who take rights seriously, is the idea that information privacy is a fundamental right.

Fundamental rights are important things, but not all important things are fundamental rights, and a fundamental right to privacy does not fit with the classical idea of rights. The right to liberty suggested in the Declaration of Independence, for example, leaves a clean slate as to what people will do with their liberty. The First Amendment right to free speech allows people to say almost anything — or nothing at all, thankfully. And the Fifth Amendment’s protection of private property aims at allowing people to keep what they own once they have earned or created it. It does not require people to own things. Rights create a vacuum in which people can act however they choose.

For there to be a "right" to privacy, then, there must be a vacuum in which privacy is unprotected, but in which privacy can be protected by people who value it. Non-protection of privacy has to be the baseline if we are to treat privacy as a right. Otherwise, privacy is an entitlement — a thing that government bestows on us by virtue of our status. In the better view, privacy is the result of choices made in the exercise of some other right or rights.

In their Harvard Law Review article, Samuel Warren and Louis Brandeis said that people can give up their privacy by publishing information about themselves. The corollary is that people can protect their privacy by safeguarding information about themselves. The legal right Warren and Brandeis must have been talking about — the vacuum, which people can fill or leave unfilled — is whether or not to reveal personal information. This is a product of personal autonomy. Privacy is protected by maximizing the autonomy and power of individuals.

Privacy is a Subjective Condition

Privacilla’s best conclusion about privacy at this time is that it is most accurately viewed as a subjective condition. It is a state of being and, importantly, it is a state of being that an individual enjoys on terms that only he or she can define.

A person does not suffer harm when information about him or her is used in a way that would offend someone else. A person’s privacy is only violated when information about him or her is used in a way that violates his or her own sense of privacy. No individual, advocacy group, or government can decide what any individual’s sense of privacy will be.

It is useful to analogize privacy to another subjective condition: happiness. Happiness is a product of the complex, changeable, and highly personal wants and needs of individuals. A law or regulation that purported to provide happiness would properly be viewed as absurd. So it is with privacy. Privacy reflects personal, individual values that cannot be successfully generalized. Laws may, however, create the circumstances within which consumers may pursue and protect their own individual senses of privacy.

It is also useful to consider that privacy may have two parts:

  • First, privacy may result from the actual fact that an individual has successfully exercised control over information about him or her consistent with his or her values.
  • Second, privacy may be the subjective sense that a person has the ability to exercise control over information about him- or herself.

These tentative observations point away from top-down regulatory models for providing privacy. Laws or regulations that create broad confidentiality or secrecy rules will not create control over information that is consistent with individuals distinct values. Neither will they create a subjective sense of control.

These observations point instead to consumer education and empowerment combined with robust contract enforcement in free and diverse markets. Privacy can not be delivered like an entitlement. It is a product of individual power and control, coupled with the personal responsibility to exercise that power and control. The approach taken by the Department in the regulations is fundamentally at odds with the better, emerging conceptions of privacy that counsel for individual consumer empowerment.

The Regulations Do Not Advance the Cause of Privacy and They Threaten Patients’ Lives

In essence, the HIPAA regulations represent the guesses of well-meaning bureaucrats and advocates about what privacy should look like. It is impossible for these guesses to be accurate when hundreds of millions of people are engaging in billions of transactions each day that involve personal information. The regulations’ mandate of confidentiality or secrecy in health information is at best a shabby caricature of what privacy would look like if choices about the use of information were given to consumers themselves.

More importantly, the regulations affirmatively undermine privacy in significant ways. As other commenters are assuredly emphasizing to the Department, the regulations reduce patient choice and control over health information for a variety of purposes, including oversight of the health care system, monitoring by the Food and Drug Administration, public health surveillance, law enforcement activities, and so on. While these purposes may advance important social goals, they do not advance the cause of privacy.

This is especially concerning in light of the major premise of the regulations themselves — the common sense idea that real harms may flow from patient uncertainty about privacy. Patients who fear for their privacy may avoid treatment, may misreport information, may fail to undergo treatments, and so on. The portions of the regulations that actively undermine patient privacy are now well known to the public. They will discourage patients from getting the care that they need, leading to greater levels of debilitating illness, more suffering due to treatable conditions, and even premature death among American patients.

The regulations amount to a gamble about consumer confidence in the health care system. The gamble is that consumer confidence will improve and that patients will more openly and confidently seek treatment if murky and arcane federal regulations make patients’ personal health care information more available to the government, to researchers, and to a variety of other interests. It is a bad gamble — a gamble with people’s lives — that should be taken off the table.

There is one guarantee among all the risk to patient care. By the Department’s own reckoning, the regulations will cost $17 billion dollars, and other estimates run far higher. This money will come out of the insurance and health care options available to needy Americans. Statistically, the regulations guarantee that a number of Americans will die, having foregone health care because of the costs imposed by the regulations.

Health Privacy Will Only be Delivered by Systems that Give Patients Power and Responsibility to Protect Privacy as They See Fit

Given the true shape of privacy that emerges from careful analysis of the subject, the way to protect privacy is to distribute privacy choices to the people whom they effect. Empowered consumers are what will deliver privacy to consumers. This does not mean consumers ‘empowered’ by government mandated check-offs. This means consumers empowered by knowledge and full freedom to contract — and refrain from contracting — with health care providers based on the privacy promises they offer. This goal is incredibly far off, and not easy to achieve, but satisfying the privacy interests of consumers and citizens is far superior to imposing the guesswork of experts in the hope that the privacy problem will go away.

To create the circumstances where consumers can protect their privacy, there are several things governments can do. First, they can refrain from actively eroding the ability of people to control information about themselves. Most tax and benefit programs have as a hidden cost the ability to keep information private. This includes health care programs that require massive collections of extremely personal information about beneficiaries and often the public at large. Second, governments can enforce contracts that people enter into seeking privacy protection. This is already provided for in the law of all 50 states.

Health care providers, in the meantime, should offer patients levels of confidentiality consistent with the broad array of privacy preferences consumers have. These offerings can not be predicted because actual consumer demand for them remains unknown. Providers should pass along to patients the benefits that accrue from information sharing. Patients who prefer to be highly restrictive with information should be prepared to pay the additional cost. This is not ‘discrimination,’ but rather the product of consumer choice.

Market processes — imperfect and rough-and-tumble as they are — are the only way to discover consumers’ true interests. Regulators, politicians, and even pollsters have little capacity to discern them.


The fact that enforcement of the HIPAA regulations was delegated to the Office for Civil Rights indicates that the regulations will be enforced without a clear founding in basic principles. As important as privacy protection is, it is not a fundamental or civil right.

If the HIPAA privacy regulations go forward, privacy protection should become a major part of the planning documents produced by the Department. The Government Performance and Results Act (P.L. 103-62) requires federal agencies to establish clear goals based on their statutory authority, and report to Congress annually on their progress in meeting those goals. This would not be an easy intellectual exercise because "privacy" reflects the values of individuals, which governments are in a difficult position to protect. Nonetheless, if billions of taxpayer and consumer dollars are to be consumed in the name of privacy, the results of that spending and regulating should be measured.

Far better would be for the regulations to be withdrawn. Congress, rather than any Executive Branch agency, should decide in consultation with the President what the nature of any federal health privacy protection in the United States should be. These elected officials should make such decisions only after identifying exactly what privacy is, and how it is best protected. The first steps they should take are to prevent governments from actively eroding the ability of patients to control health information. The true privacy interests of consumers, they will find, can only be revealed and satisfied in the marketplace. This should be the focus of our nation’s public policy on health care and privacy.


James W. Harper

©2000-2003 All content subject to the Privacilla Public License.