Marcy Wilder, former Deputy General Counsel at the Department of Health and Human Services (HHS), on the creation of HIPAA and its lasting impact
MARCY WILDER: Recently we marked the 25th anniversary of President Clinton signing HIPAA — the Health Insurance Portability and Accountability Act — into law. Although best known for protecting the privacy of patient records, the statute was largely focused on making sure employees could keep their health insurance when they changed jobs, protecting people from being denied coverage because of preexisting conditions, and streamlining electronic health care billing to make it faster and more efficient. In President Clinton’s words upon signing the legislation, “For the first time, this Act will ensure the portability of health benefits when workers change or lose their jobs and will protect workers against discrimination by health plans based on their health status.”
Back in 1996, as HIPAA legislation was on the verge of passing with bi-partisan support, thorny privacy issues were threatening to scuttle the entire enterprise. A compromise was struck whereby Congress would give itself a deadline of three years to enact privacy legislation, and if it didn’t — the Department of Health and Human Services (HHS) Secretary would by default be required to issue privacy regulations.
On the day that three years expired, I was the Deputy General Counsel at HHS and happened to be standing in my boss’ office when Secretary Donna E. Shalala walked in, smiled, and said, “Well, they missed the deadline, I guess you better get started.” The General Counsel, Harriet Rabb, turned to me and said, “I think this one is yours.” With that, I began advising an amazing team of policymakers at HHS as we went about drafting the first federal health privacy regulations in the United States.
Protecting patient privacy and, at the same time, striving to enable the health care system to run effectively and without major interruption was not an easy balance to strike. The agency received a massive number of comments — more than 52,000 — that came in response to the proposed rule published in November 1999. These comments reflected a wide range of passionate views with health care providers concerned that the patient consent requirements would be unworkable and that the rule would get in the way of everything from sign-in sheets to talking with family members about the care of a loved one. Privacy advocates claimed that the many uses of medical information permitted without patient consent rendered the law toothless.
In the end, the Privacy Rule, the final regulation issued on December 28, 2000, made clear that a patient had a right to access their own medical records and that their health information could not be used for marketing without their consent. Health care providers and plans, with notice to patients, were permitted to use patient information unimpeded for treatment, payment, and health care operations, such as improving the quality of care and population health. The use of patient information for research and public health purposes was enabled in a privacy-protective way.
The HIPAA regulation provides a strong privacy foundation where it applies. The statute, however, is limited in scope to a short list of covered entities: health plans, clearinghouses, and most health care providers. As a result, the privacy regulation and its companion HIPAA security rule have a reach that is limited largely to health information generated in medical settings and by health plans (and their vendors known as business associates).
The gaps in HIPAA’s privacy protections, however, are abundantly clear.
The law was enacted at a time when health information was produced largely in clinical settings. 25 years later, health information is generated by consumers in all sorts of ways not associated with the medical system, and technology has evolved at a rapid rate. Information such as shopping habits, subscriptions, social media posts, grocery bills, and whether you own a car can be combined and analyzed to make inferences and predictions about your health status, and HIPAA protections do not apply. Nor does HIPAA apply to most of the fitness and sleep trackers you wear or to the health and wellness apps on your phone.
Additionally, HIPAA rules do not cover when airlines, stadiums, stores, theaters, or your employer asks you about your COVID-19 vaccination status. Thus, HIPAA colors inside the lines — protecting patients’ medical privacy rights without reaching data collection by search engines, data brokers, commercial vendors, and many researchers. How health-related information outside the medical system should be protected is the subject of ongoing debate.
HIPAA has evolved over the last two decades, and it would be hard to dispute the lasting impact it has had on the American health care system. When President Clinton announced the HIPAA privacy regulations in the waning days of his administration, it was the capstone of my time at HHS working with the dynamic team that would set the foundation for patient privacy for years to come.