Cato Journal

Cato Journal

Spring/Summer 2002


HIPAA on Privacy: Its Unintended and Intended Consequences
By Richard A. Epstein



The single most conspicuous growth industry in Washington, D.C., is regulation and the administrative structure it spawns. The number of programs in Washington that start big is relatively small. The dominant strategy in all cases is to identify some failure in the private sector and then to propose some well-tailored government program to combat it. At the stage of inception, everyone is sensitive to the risks of overreaching through regulation. But the mood shifts on implementation of the program.

The key question is what attitude is brought to the two kinds of error that must be confronted by any system of social control: too much or too little. Within this new context, the risks of underinclusion are always high on the agenda. The risks of overinclusion tend to be neglected.

To give but one example, the 1964 Civil Rights Act was sold as a statute that was intended to remove a particular form of irrationality in the marketplace by refusing to allow employers to make invidious distinctions on grounds of race, sex, and national origin. At the time everyone disclaimed any effort to impose prohibitions when employers did not resort to conscious differences in treatment. No one thought that employers could be held responsible for the background conditions in society at large that contributed to differential levels of preparation of, for example, black and white applicants.1 But we all know the story as to how the initial program grew rapidly by a combination of administrative regulation and judicial decisions. The same story could be told over and over again, for example, with the growth in Social Security and Medicare.

The Health Insurance Portability and Accountability Act is obviously of more recent vintage, but it shows the same precocious capacity for growth so evidently present in earlier forms of federal regulation (Scott 2000). The language of the statute suggests that its primary concern was with "portability," namely the ability of individuals with preexisting conditions to keep their insurance coverage when they went from one job to another. But the real sleeper in HIPAA is found in its provisions on privacy, where the regulations, adopted in the face of a congressional impasse, have just taken off. In order to see how the process works, I propose to examine HIPAA in two ways. The first part is narrower in its orientation, and looks at what I believe to be the important conflict between the concern for privacy on the one hand, and the ability of medical scientists, physicians, and institutions to continue on with their traditional research activities. The second part will be more global, and will examine the larger intellectual framework on privacy that, in my view, fuels this latest misguided round of regulatory expansion. The third part of this paper then concludes with a discussion of the public choice explanation that drives these changes.

Full Text (PDF, 19 pages, 79 KB)