To the Editor: There once was a happy time when HIPAA referred to insurance reforms that increased access and tried to reduce costs. Owing to its gargantuan privacy rule, HIPAA is now known mainly as the source of constant headaches and endless strife over whether patients' medical records are adequately protected. The privacy rule was meant to pave the way for electronic claims processing, but the naive goal of achieving "administrative simplification" has encountered the medical world's monumental complexity.
Medical professionals have always been subject to firm legal and ethical rules about confidentiality and patients' rights, enforced by serious sanctions such as tort suits. These rules worked reasonably well prior to HIPAA's much sterner enforcement, but to make HIPAA even more oppressive, Richard Sobel ("The HIPAA Paradox: The Privacy Rule That's Not," Jul-Aug 2007) proposes giving patients the right to consent to various uses of their medical information.
Consent sounds simple and innocuous, but consent's other shoe is the right to refuse--meaning the right to insist on doing things exactly the way each patient wants. Sobel does not even allude to the difficulties this entails for framing a workable extension of the privacy rule. Surely a patient could not insist that a hospital accept him under a wholly fictitious identity, nor could she demand that no one else on the medical team know about important details like test results. Providers can always demand certain latitudes, but what precisely are they? Specifying that will be even more complex than the current privacy disclosures--which then would need to be fully understood and negotiated for each patient by each provider.
Why is this necessary? Despite the threat of identity theft, similar protections don't exist for credit cards, Internet transactions, and the like, yet commerce proceeds apace. Analogously, we have rules for how people should drive--within a speed limit, and not recklessly. These driving rules aren't perfectly crafted and enforced, and many people die as a result. Yet we do not try to regulate the infinite complexity of driving in various circumstances. Were we to specify acceleration rates, vehicle spacing, turn signal timing, etc., at various speeds and conditions with sufficient margin for error that most accidents were avoided, gridlock would surely prevail. Yet this is more or less what Richard Sobel argues HIPAA should do for medical records, even though intangible privacy interests are surely...