56 Pages Posted: 5 Sep 2012 Last revised: 2 Jul 2014
Date Written: 2013
This article provides the first in-depth analysis of the preemption provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its major privacy regulation, the HIPAA Privacy Rule, which is widely believed to set a federal floor of privacy protection that leaves states free to set stricter privacy standards. While this belief is generally correct, it is false when state privacy laws impede enumerated public health activities that Congress deemed to have sufficient social value to warrant intrusions on individual privacy. The Privacy Rule does not itself preempt more stringent state privacy laws, but such laws face statutory preemption if they limit access to health data and biospecimens for use in the enumerated public health activities. The Privacy Rule thus is both a ceiling and a floor of privacy standards that apply in the context of these activities, which include emerging and important types of public health surveillance and investigations that require the use of large, interoperable health data networks.
This conclusion flies in the face of well settled rumors about how HIPAA preemption works. This article sets out to solve the mystery of how a major provision of HIPAA’s preemption framework came to be widely forgotten, and why the Privacy Rule seemingly ignored a clear statutory instruction to preempt state privacy laws as necessary to protect certain important public health activities. What emerges is a fascinating tale of Congress and a regulatory agency grappling with complex preemption choices that implicated not just federalism and individual rights but also important public interests that compete with privacy. Congress struck a balance between privacy and competing public interests in HIPAA’s statutory preemption provisions. The Privacy Rule’s failure to implement that balance is best explained as an administrative judgment that courts and legislatures, rather than regulatory bodies, possess superior institutional competence to implement the balance Congress struck. The Privacy Rule is a masterpiece of administrative modesty that carefully preserves Congress’s preemption choices by ceding implementation responsibilities to other institutions of government.
Keywords: Privacy, HIPAA, Preemption, Public Health, Interoperable Health Data Networks, Health IT
Suggested Citation: Suggested Citation
Evans, Barbara J., Institutional Competence to Balance Privacy and Competing Values: The Forgotten Third Prong of HIPAA Preemption Analysis (2013). 46 U.C. Davis Law Review 1175-1230 (2013); U of Houston Law Center No. 2012-A-15. Available at SSRN: https://ssrn.com/abstract=2141566