Institutional Competence to Balance Privacy and Competing Values: The Forgotten Third Prong of HIPAA Preemption Analysis

Barbara J. Evans

University of Houston Law Center

September 4, 2012

46 U.C. Davis Law Review (2013 Forthcoming)
U of Houston Law Center No. 2012-A-15

This article provides the first in-depth analysis of the preemption provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its major privacy regulation, the HIPAA Privacy Rule, which is widely believed to set a federal floor of privacy protection that leaves states free to set stricter privacy standards. While this belief is generally correct, it is false when state privacy laws impede enumerated public health activities that Congress deemed to have sufficient social value to warrant intrusions on individual privacy. The Privacy Rule does not itself preempt more stringent state privacy laws, but such laws face statutory preemption if they limit access to health data and biospecimens for use in the enumerated public health activities. The Privacy Rule thus is both a ceiling and a floor of privacy standards that apply in the context of these activities, which include emerging and important types of public health surveillance and investigations that require the use of large, interoperable health data networks.

This conclusion flies in the face of well settled rumors about how HIPAA preemption works. This article sets out to solve the mystery of how a major provision of HIPAA’s preemption framework came to be widely forgotten, and why the Privacy Rule seemingly ignored a clear statutory instruction to preempt state privacy laws as necessary to protect certain important public health activities. What emerges is a fascinating tale of Congress and a regulatory agency grappling with complex preemption choices that implicated not just federalism and individual rights but also important public interests that compete with privacy. Congress struck a balance between privacy and competing public interests in HIPAA’s statutory preemption provisions. The Privacy Rule’s failure to implement that balance is best explained as an administrative judgment that courts and legislatures, rather than regulatory bodies, possess superior institutional competence to implement the balance Congress struck. The Privacy Rule is a masterpiece of administrative modesty that carefully preserves Congress’s preemption choices by ceding implementation responsibilities to other institutions of government.

Number of Pages in PDF File: 38

Keywords: Privacy, HIPAA, Preemption, Public Health, Interoperable Health Data Networks, Health IT

Accepted Paper Series

Download This Paper

Date posted: September 5, 2012 ; Last revised: March 8, 2013

Suggested Citation

Evans, Barbara J., Institutional Competence to Balance Privacy and Competing Values: The Forgotten Third Prong of HIPAA Preemption Analysis (September 4, 2012). 46 U.C. Davis Law Review (2013 Forthcoming); U of Houston Law Center No. 2012-A-15. Available at SSRN: http://ssrn.com/abstract=2141566

Contact Information

Barbara J. Evans (Contact Author)
University of Houston Law Center ( email )
100 Law Center
Suite 230 BLB
Houston, TX 77204-6054
United States
713-743-2993 (Phone)
Feedback to SSRN

Paper statistics
Abstract Views: 275
Downloads: 68
Download Rank: 192,230

© 2014 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollo3 in 0.734 seconds