Pre-emption's Not So Simple: Part I
In 1996, Congress also enacted a law dealing with health privacy, the Health Insurance Portability and Accountability Act. Nearly every doctor, hospital and health insurer will have to follow new federal privacy rules starting April 14.
HIPAA follows what is now the most common pattern for federal privacy laws. Congress establishes a national standard, but it allows the states to have stronger laws. For health records, states always have had many laws affecting their use and disclosure. The scope and quality of state laws vary tremendously, but most states have dozens of separate, uncoordinated pieces of legislation. Even if you wanted to pre-empt all state laws, it would be extraordinarily challenging to figure out what and how.
The rest of this discussion is about HIPAA, which does not directly affect marketers. However, the real subject is pre-emption, and that should be of broader interest. Also, there is at least one medical marketing provision that is noteworthy. The subject is so expansive that it will stretch over two columns.
I just completed a project that explored the interface between health privacy laws for all the states and the federal HIPAA rule. The pre-emption analysis yielded interesting observations.
Pre-emption in the real world, especially when the states are active legislators, can be extremely complex. Each piece of each state law must be identified, analyzed and measured against the federal rule. Because privacy is not a one-dimensional issue, determining which law does a better job of protecting privacy is not always easy.
For example, many jurisdictions let patients obtain a copy of their records. For my money, the best policy is to give patients direct access without any exceptions. Some states have laws like that. The federal rule, however, has about a half-dozen exceptions.
Let's consider just a piece of one exception. Suppose you want to withhold information from a patient when disclosure would be harmful to the patient. How do you write that into law? The federal rule says you can withhold information if a healthcare professional in the exercise of professional judgment determines that access could be reasonably likely to endanger the life or physical safety of the individual.
Now let's play with the words. Another rule might allow withholding if disclosure was not in the best interest of the patient. Or if disclosure would be harmful to the patient. Or would likely be harmful to the patient. We can spin out real and hypothetical word formulas here for a long time.
What is the right policy? There is no right policy. It is a choice, and different legislatures naturally will reach different results.
Does this mean that we should have pre-emption to avoid the mess? You may think so, but I don't necessarily agree. Regardless of the conclusion, however, I want to recognize that pre-emption is different in the real world than as an abstract legislative slogan.
To give equal time to the other side, I find it just as difficult to argue that all wisdom resides in Washington. It is unfair to enact a federal law in the name of privacy that lessens protections that have existed for years in the states and that have not created problems.
I don't have any broad solutions to the privacy pre-emption wars. I have two suggestions as partial approaches to the problem. First, every privacy law does not have to be totally pre-emptive or totally not pre-emptive. We can choose among the pieces of a bill and decide that we will have national rules for some and local rules for others.
Second, even when we let states enact their own laws, we may find reasons to limit the range of choices. A federal law might let states pick from one of several possibilities. There may be no reason to have 50 different state standards when six would cover all reasonable alternatives.
Next month I will discuss how the feds worsened a difficult pre-emption problem and screwed up the marketing provision at the same time.