The single most conspicuous growth industry in Washington, D.C., is regulation and the administrative structure it spawns. The number of programs in Washington that start big is relatively small. The dominant strategy in all cases is to identify some failure in the private sector and then to propose some well-tailored government program to combat it. At the stage of inception, everyone is sensitive to the risks of overreaching through regulation. But the mood shifts on implementation of the program.
The key question is what attitude is brought to the two kinds of error that must be confronted by any system of social control: too much or too little. Within this new context, the risks of underinclusion are always high on the agenda. The risks of overinclusion tend to be neglected.
To give but one example, the 1964 Civil Rights Act was sold as a statute that was intended to remove a particular form of irrationality in the marketplace by refusing to allow employers to make invidious distinctions on grounds of race, sex, and national origin. At the time everyone disclaimed any effort to impose prohibitions when employers did not resort to conscious differences in treatment. No one thought that employers could be held responsible for the background conditions in society at large that contributed to differential levels of preparation of, for example, black and white applicants. (1) But we all know the story as to how the initial program grew rapidly by a combination of administrative regulation and judicial decisions. The same story could be told over and over again, for example, with the growth in Social Security and Medicare.
The Health Insurance Portability and Accountability Act is obviously of more recent vintage, but it shows the same precocious capacity for growth so evidently present in earlier forms of federal regulation (Scott 2000). The language of the statute suggests that its primary concern was with "portability," namely the ability of individuals with preexisting conditions to keep their insurance coverage when they went from one job to another. But the real sleeper in HIPAA is found in its provisions on privacy, where the regulations, adopted in the face of a congressional impasse, have just taken off. In order to see how the process works, I propose to examine HIPAA in two ways. The first part is narrower in its orientation, and looks at what I believe to be the important conflict between the concern for privacy on the one hand, and the ability of medical scientists, physicians, and institutions to continue on with their traditional research activities. The second part will be more global, and will examine the larger intellectual framework on privacy that, in my view, fuels this latest misguided round of regulatory expansion. The third part of this paper then concludes with a discussion of the public choice explanation that drives these changes.
HIPAA and Medical Research
In order to understand the impact of HIPAA on medical research, it is important to establish a baseline for comparison, which allows us to assess the differences between the pre- and the post-HIPAA world. The former world should not be treated as though it were the state of nature, in which no one knew about privacy or cared about the consequences that might flow from the inopportune release of information. Quite the opposite, the tradeoffs between the control of information and the need for its dissemination into different arenas did not first surface in 1995 or 1996. Rather, it has long been at the center of the discussion for research protocols used by physicians, hospitals, and research centers. The protection of medical records was always a big deal, one that was subject to regulation as well as contract (Moses 2000: 519-20), including the Freedom of Information Act and Medicare rules. (2)
The questions that were raised in response to this challenge were in my view the right questions: how much do we value privacy, how much will it cost to protect it, and what tradeoffs do we have to make with respect to other institutions? …