The Department of Health and Human Services has recently been exercising its authority under the (wittily named) "administrative simplification" part of the Health Insurance Portability and Accountability Act to regulate the confidentiality of medical records. I love the goal; I loathe the means. The benefits are obscure; the costs are onerous. Putatively, the regulations protect my autonomy; practically, they ensnarl me in red tape and hijack my money for services I dislike.
HIPAA (a misnomer—HIPAA is the statute, not the regulations) is too lengthy, labile, complex, confused, unfinished, and unclear to be summarized intelligibly or reliably. (Brevis esse laboro, obscurus fio.) However, a covered entity is any health plan or "health care provider" that "transmits any health information in electronic form." If HIPAA has a general rule, it is that (1) a "covered entity may not use or disclose protected health information except as permitted," (2) the entity must "make reasonable efforts to limit protected health information to the minimum necessary," and (3) the covered entity must require its "business associates" to "appropriately safeguard the information." With plentiful exceptions and restrictions, entities may use or disclose information "for treatment, payment, or health care operations."
There is much more. For instance: (1) Information may usually be disclosed for "marketing" only with the patient's elaborately detailed authorization. (2) An entity may reveal a patient's name, room, and general condition to "persons who ask for the individual by name" but "must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information . . . and provide the individual with the opportunity to restrict" the disclosures. (3) Entities may release information with the patient's consent. If a patient cannot give consent, the "entity may, in the exercise of its professional judgment, determine whether . . . disclosure [to a person taking care of the patient] is in the best interests of the individual and, if so, disclose only the . . . information that is directly relevant to the person's involvement with the individual's health care."
Almost every part of HIPAA instructs the entity to loose rivers of information upon the patient. Entities may do many things without consent, but they must specify these things at punishing length. One example: the notice must describe each purpose "for which the covered entity is permitted or required . . . to use or disclose protected health information without the individual's written authorization." This "description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law." Entities may do many things only with consent, which must be solicited through another grueling barrage of disclosures.
Why HIPAA? Medical privacy was multiply protected—by ethical codes, state and federal statutes and administrative regulations, tort law (which, unlike HIPAA, give patients remedies), accrediting organizations, hospital policies, even the market—long before HIPAA gleamed in a bureaucrat's eye. As Richard Epstein notes, before HIPAA we saw no "explosion of improper disclosures of sensitive information, and no systematic unwillingness to deal with the problems that do arise by private organizations or even by more limited and focused regulatory responses."
So why HIPAA? HHS presented and justified its basic rules in 400 large pages of small print. First: "Privacy is a fundamental right. . . . [I]t speaks to our individual and collective freedom." This makes me reach for my Burke. He could not praise "anything which relates to human actions . . . on a simple view of the object . . . in all the nakedness and solitude of metaphysical abstraction. Circumstances (which with some gentlemen pass for nothing) give in reality to every political principle its distinguishing color and discriminating effect."
"Privacy" means everything and nothing. In law, "privacy" is so protean that it is meaningless without modification. Privacy as "fundamental right" is an idea from constitutional law, but it refers to freedom of choice, not confidentiality of information. The Constitution protects physical privacy only sporadically; for example, only some searches are prohibited. More broadly, I doubt that the interests protected by "privacy" are distinctive or illuminating enough to make up an independent moral category...