Academic journal article Fordham Urban Law Journal

Hungry, Hungry HIPAA: When Privacy Regulations Go Too Far

Academic journal article Fordham Urban Law Journal

Hungry, Hungry HIPAA: When Privacy Regulations Go Too Far

Article excerpt

Privacy has many different definitions ranging from informational privacy to civil libertarian ideas of personal autonomy. (1) It is difficult to define as it arises from a complex set of rules and institutions which determine the limitations and availability of information. (2) As we find new ways to harness the massive amounts of available information, our lives may be subject to unwanted scrutiny and real losses stemming from privacy violations. (3) While absolute privacy is unattainable, there are good reasons for pursuing policies which might prevent the erosion of its boundaries--no matter how gray or ill-defined those boundaries may be. (4) In the area of personal health and medical information, the sensitive nature of the information at stake makes such losses all the more perilous and potentially injurious. (5)

Congress, concerned with the specter of privacy violations made possible by advances in technology and the use of electronic data storage, enacted medical privacy regulations with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). (6) HIPAA imposes considerable regulatory burdens on health care organizations in the hope that strict administration and control of information will prevent both real and perceived injuries from unauthorized and unwanted scrutiny of personal health data. (7) These concerns are by no means unfounded, but it remains to be seen whether HIPAA's means of prevention are in fact the best cure.

Part I of this Comment traces a brief overview of the general development and regulatory requirements of HIPAA. Part II critiques HIPAA from a law and economics perspective, examining the economics of privacy, the problematic conditions in the market for health care services, whether HIPAA adequately addresses privacy concerns, and the costs and consequences of HIPAA. Part III suggests several alternatives for privacy advocates. In making policy choices, the costs should be carefully weighed against the benefits, and the outcomes should significantly solve the problems the policy was intended to address. (8) The tradeoffs we accept in return for greater privacy protections should reflect our individual preferences to the greatest extent possible, and the solution put into place should have the flexibility to adjust to changing needs and the appropriate incentives to improve over time. Ultimately, HIPAA fails to meet these criteria, creates a number of new legal and economic problems, and adds regulatory and financial burdens to an already complex and costly health care system.


While HIPAA's general policy goal was to protect the continuity of employee health coverage when changing jobs, (9) the primary purpose of the privacy provisions was to address the public's concern over employer access to sensitive employee medical information. (10) Other goals included providing additional safeguards against third party access to "protected health information" ("PHI"), (11) establishing procedures for information access, (12) and giving patients notice and access rights to their medical information. (13)

The HIPAA legislation gave Congress a self-imposed deadline of three years to enact legislation protecting the privacy of health information. (14) Congress required the privacy regulations to address three specific areas:

1) The rights that an individual who is a subject of individually identifiable health information should have.

2) The procedures that should be established for the exercise of such rights.

3) The uses and disclosures of such information that should be authorized or required. (15)

In lieu of Congress meeting the deadline, the Secretary of Health and Human Services ("HHS") was authorized to enact such regulations. (16) Congress failed to act before the HIPAA deadline in 1999. The HHS Secretary then undertook the task, issuing final regulations in April of 2001, which went into effect on April 14, 2003. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.