pol-econ

INFORMATION POLICY FOR THE U.S. HEALTH SECTOR:
ENGINEERING, POLITICAL ECONOMY, AND ETHICS

POLITICAL-ECONOMIC ISSUES

Preemption and 'Federalism'

As noted elsewhere, in almost all industrialized countries today, the common approach to data protection is a comprehensive privacy law, setting out principles to be followed in both the public and private sphere, across all areas of the economy and all political jurisdictions (Bennett, 1992). By contrast, the US has pursued what is sometimes called a "sectoral" approach: different rules apply to different types of records, and often no rules apply at all (Reidenberg, 1995; Schwartz, 1995a). The 1974 Privacy Act applies almost exclusively to federal agencies; it does not reach state or local government, or the vast array of information practices in the private sector. US federal categorical/sectoral protections now include those for "wire" and oral communications (1968), credit reports (1970), educational records (1974), bank records (1978), cable television records (1984), "electronic" communications (1986), video rental records (1988), and employee polygraphs (1988). (For details, see Regan, 1995. Federal legislation is listed in the "Other Documents" section.) The patchwork structure comes by default rather than design, reflecting both the incrementalist biases of a governmental system based on separated powers, and the absence of any overwhelming US public sentiment for an omnibus data protection law.

Where federal statutes are lacking, US citizens are left with the protections at the state level. As noted, the constraints on health data practice now flow primarily from state-level protections erected in a pre-electronic era. Reliance on state action risks a chaotic data protection environment as well as an outdated one, with both inconsistencies where protections overlap and critical gaps where no protections exist at all. Businesses that operate in interstate commerce, as most health care entities now do, are burdened by the need to meet many different standards; individuals are likely to be left inadequately protected, and almost certainly are left confused. This argues for Federal preemption of state law. Opponents of preemption counter that it precludes the sort of state-level policy experimentation thought to be a core benefit of the "federalist" approach. It is obvious to all concerned that there is little consensus on the "best" formulation of the critical tradeoffs of health information policy – the details of legislation and regulation that will determine the actual substance of data protection – so loss of the opportunity for experimentation is viewed as a great loss indeed.

Unsurprisingly, arguments about the merits of efficiency and uniformity relative to the yield from 50 states worth of experimentation are often a cover for notions about which jurisdictional level is likely to provide a data protection regime most consistent with the arguer’s interests. Disagreements over preemption have forestalled data protection legislation in the past (e.g., the Fair Credit laws), and are a major source of contention for health sector information rules. A solution may require sub-dividing components of data protection proposals, to articulate precisely where preemption will and will not be allowed. But even this will require better consensus on how to define the "pieces."

Oversight/regulation/enforcement The US has pursued the path of individual enforcement of information rights for over a hundred years, from the time when privacy was famously characterized by Warren and Brandeis (1890) as "the right to be left alone," and the new technology at issue was photography. Such common-law torts as intrusion upon seclusion, disclosure, false light and appropriation of name or likeness were the basis for lawsuits over privacy "invasions" (Prosser, 1960). Given US courts’ inability to find strong constitutional grounds for a privacy right, statutory law has been the principle means for expanding protections, typically in a sector-by-sector fashion (see "Preemption and Federalism" section). Still, the emphasis has remained on individual enforcement under statutory standards, such as in the 1974 Privacy Act. Even at its enactment this was recognized as inadequate, given the limited abilities of an individual to know that a privacy violation had occurred, much less pursue litigation against a government agency (Privacy Protection Study Commission, 1977). Individual enforcement is all the more problematical now, two decades later, given the expanded scale and increasing diversity of public- and private-sector data collection.

Internationally, the common approach is to establish formal data protection authorities, with responsibilities for enforcing a comprehensive data protection law (Schwartz, 1995b). Such central authorities, typically part of the executive branch, enforce requirements for licensure or registration of data processing activities, monitor data collection practices, and provide a channel whereby individuals may press complaints. Alternatively, an independent data commission or commissioner may be established, performing the same functions but relying on established executive entities, the legislature, or the courts for enforcement (Bennett, 1992). Despite numerous reports recommending a similar approach in the US, Congress has never seriously considered the idea (Gellman, 1993). The anti-government, anti-regulatory sentiments prevailing today still make the approach difficult in the US. Voluntary self-regulation may be used as an alternative to formal oversight, or as a complement to government supervision. The European Data Protection Directive encourages establishment of industry codes, and this practice has been pursued extensively in the Netherlands (van den Hoven, 1995). In the US, administrations from Reagan’s onward have been encouraged corporations to adopt guidelines voluntarily, such as those of the Organization for Economic Cooperation and Development, but with unclear effects (Gellman, 1996).

Categorization (data, users, uses) Just as broad-scale networking has made geographic borders increasingly irrelevant, other advances in information technology applications have blurred categories and functions. Traditional distinctions between types of data and types of data-users are fading, making construction of the specifics of data protection law increasingly difficult. The growing intricacy of information traffic also complicates the on-going task of regulation, once a legal foundation is established, and adds to the arguments for a permanent, independent data oversight body, with the time and resources to understand evolving data practices.

Traditionally, different classes of data have been given different levels of protection. Alcohol and substance abuse treatment records, mental health history, and AIDS/HIV status are all examples of "special" information targeted for extra protection. (In many cases, in the name of public health surveillance, extra disclosure requirements also attend.) In many current state and federal legislative proposals, genetic information is also singled out for special protections, to prepare for a world in which each individual’s genetic makeup is categorized and stored. Unfortunately, one cannot lock up large portions of the medical record and conduct either the clinical or administrative business of health care, and the less protected pieces of data quite often allow extrapolation of the hidden remainder. A patient’s pharmaceutical use, for example, must be open to all practitioners, to avoid adverse drug interactions, as well as to the institutions that are paying the pharmacy bills. Drugs like Prozac or AZT are only used for certain things. Similarly, genetic information identifies increased propensities for particular diseases and disabilities. Until "cure" by alteration of genetic material is possible, the preponderant "therapy" will be increased screening, to pick up the predicted conditions earlier. The altered pattern of diagnostic testing will signal the genetic condition to any knowledgeable record reader.

Almost all the current U.S. health data protection proposals make rules for different categories of users and uses. Treatment and payment practices are generally lightly controlled, since this is at the core of system functioning; research and oversight/audit functions are somewhat more circumscribed; law enforcement functions receive the highest procedural controls, to afford protections to persons who may be adversely affected by investigations. Yet in modern US health care, there is a profound jumbling of roles. It is no longer a world where one can just worry about what the health insurance company knows. Employer are commonly insurers (approximately half of firms with over 50 employees are self-funded), and may even be providers of care at workplace clinics. Health maintenance organizations are providers of care, and typically also function as insurers (because HMOs typically absorb at least some of the financial risk for care). Joint ownership arrangements are common among pharmacies, hospitals, and health plans; data sharing among affiliated entities is standard business practice. It is similarly jumbled for individuals inside these organizations. A person perusing data to look at the medical quality of a particular patient’s care today may be reviewing the same information for a cost control study tomorrow, looking for fraud the day after that, reviewing claims the day after that, and so forth. Institutional policies may set limits on such behavior (as may the institution’s IRB), but the consensus is that today such constraints are generally weak ones, idiosyncratically applied.

Proprietary vs collective uses While focused on engineering approaches to security, the recent National Research Council report (1997) concludes, as have so many others, that "the primary threats to the confidentiality of patient information originate from the lack of controls over the legal (and generally legitimate) demands for data made by organizations not directly involved in the provision of care," such as health services researchers, public health agencies, managed care organizations, insurers, and self-insured employers. Improved efficiency of health care research and public health surveillance are oft-cited collective benefits of electronic data regimes (see "Systemic Benefits" section). But the majority of financing, and the preponderance of the delivery, of US health care relies on private-sector activity, and most of these private entities collect and use data primarily for proprietary purposes. Under managed care models particularly, the corporate data store is a core corporate asset; it is not generally viewed as a "social asset" to be freely shared. Public policy must set the terms and conditions under which sharing will occur, so that collective benefits may be realized without unfairly burdening private corporate actors.

It will not be an easy balance, and little attention to the details of such sharing has occurred so far. Indeed, the issue of how to allocate the substantive burdens of data protection is little discussed in the academic literature. Many US health care organizations and interest groups support data protection laws that promote standardization across jurisdictions, purely on efficiency grounds. However if it is to be worthy of the name, data protection law also imposes substantive procedural safeguards to structure data practices, along with penalties to be applied when the procedures are not followed. It is a rare to find a cheerful embrace of constraints, costs and inconvenience, and it is clearly in an entity’s proprietary interest to see regulations imposed on others rather than itself. However none of the collective goals associated with improved information processing are likely to achieved without public confidence in the system, and public confidence arguably requires a sense that all the entities in the health system play by a fair set of rules. Such rules will place substantive inconveniences, and impose substantive costs, on all entities.