Finding the Best of the Imperfect Alternatives for Privacy, Health IT, and Cybersecurity
18 Pages Posted: 10 Dec 2012 Last revised: 27 Jan 2023
Date Written: December 10, 2012
This article is part of a Wisconsin Law Review symposium in honor of the work of Neil Komesar, and particularly his book “Imperfect Alternatives: Choosing Institutions in Law, Economics, and Public Policy.” I used this as the main text in 2003 for one of the first law school courses on “The Law of Cybersecurity,” even though the book doesn’t even mention cybersecurity. The reason was that it was the best single vehicle I had found to prepare students to think critically about comparative institutional analysis, such as how to create institutions that better foster cybersecurity.
Part I praises Komesar for recognizing the importance both of market failures and government failures. President Reagan famously summarized the government failure argument: “The nine most terrifying words in the English language are, ‘I’m from the government and I’m here to help.’” More recently, President Obama pointedly joked about the knee-jerk answers of the anti-regulatory crowd: “Feel a cold coming on? Take two tax cuts, roll back some regs, and call us in the morning.” This article argues that Komesar does an admirable job of appreciating the interactions of these two sorts of failures, and provides an intellectual underpinning for the approach to cost/benefit analysis now institutionalized in the U.S. Office of Management and Budget.
Part II assesses the imperfect institutional alternatives that apply for the HIPAA medical privacy rule. Although the rule as drafted certainly had flaws, a regulation of this sort seems to have worked better than market-based or other alternatives for protecting medical privacy.
Part III analyzes the institutional reasons that U.S. health providers have been slow to adopt electronic health records for patients’ clinical records. The Bush administration tried to spur adoption by emphasizing the role of private-sector standards efforts. Adoption appears to be growing much more quickly, however, due to funding for meaningful use of EHRs in the 2009 stimulus bill. The combination of funding and standards incorporated into regulations appear to be working better than alternatives for overcoming coordination problems for EHRs.
Part IV examines the institutional alternatives for U.S. governance of Internet privacy. Self-regulatory efforts have been important in changing industry practices. Legislation, however, may well improve practices in the area compared with sole reliance on such self-regulatory initiatives.
Part V examines imperfect alternatives for cybersecurity. As Komesar teaches, the features that make an issue difficult for one institution (such as a market approach to cybersecurity) often make the issue similarly difficult for another institution (such as government rules for cybersecurity). The analysis here suggests caution about proposed cybersecurity legislation, while acknowledging significant and continuing market failures.
Part VI examines the relatively limited role for the courts in governing these information policy issues, notably because systemic change of information practices is often a bad fit for the case-by-case approach of adjudication.
In conclusion, Komesar’s work usefully informs the major information policy issues facing policy makers today.
Keywords: privacy, medical privacy, health IT, cybersecurity, internet privacy, comparative institutional analysis, administrative law
JEL Classification: K13, K2, K20, K23, K19
Suggested Citation: Suggested Citation