Harms Addressed by the HIPAA Privacy Regulations

Home > Privacy and Business > Medical Privacy > Select Laws and Regulations > HIPAA Privacy Regulations > Where the HIPAA Privacy Regulations Came From > Harms Addressed by the HIPAA Privacy Regulations

Harms Addressed by the HIPAA Privacy Regulations

One of the most intriguing elements of the privacy regulations issued under the Health Insurance Portability and Accountability Act is the harms that the regulations are intended to address. In the "preamble" to the regulations — the section that describes their basis and purpose — a surprisingly small number of actual harms to privacy are recited. Many of those that are discussed would not be prevented by the regulations.

Several of the privacy breaches resulted from stupidity, mistakes, or violations of existing law or rules. For example, the regulation cites:

The accidental posting of medical records on the Internet by a Michigan-based health system;

Theft and misuse of HIV records by an employee of the Tampa, Florida health department (who was subsequently fired);

An incident where health insurance claims forms blew out of a truck; and

Prescription records being found on the hard drive of a used computer.

Unfortunately, stupidity and mistakes cannot be prevented by regulation. More likely, complex regulations like the HIPAA privacy rules will magnify stupidity and increase mistakes.

The preamble does cite many polls and studies where consumers stated their concerns about privacy, which is indeed important. If the Department of Health and Human Service can not identify concrete harms to privacy that the regulation would prevent, however, there is some question whether the regulations will do anything to assuage public concern. The HIPAA regulations may increase regulation and health care costs without materially improving either actual privacy protection or public perceptions.

Links:

Comments? comments@privacilla.org (Subject: HIPAAHarm)

[updated 01/02/01]