@Info.Policy: Better ways to complain about privacy rules
- By Robert Gellman
- Jun 06, 2004
If you have visited a doctor or hospital lately, you probably received a notice of your health privacy rights for the first time in your life.
The American health-care establishment has spent the last year implementing new privacy regulations under the Health Insurance Portability and Accountability Act, better known as HIPAA.
I recently attended a hearing on the HIPAA rules held by a Health and Human Services Department advisory committee. I came away with three observations about evaluating the new rules. Many agencies and companies are facing new privacy obligations and problems, so the lessons are worth sharing.
First, are the problems transitory? Any complex set of rules takes considerable time and effort to learn. People miss the point, lawyers give bad advice and procedure unnecessarily triumphs over substance.
I doubt many GCN readers remember when federal agencies implemented the Privacy Act of 1974, but it took a couple of years before transitional problems disappeared and agencies understood how to deal with the law.
Second, do the problems result from interpretation of badly drafted regulations? Privacy principles look simple on a blackboard but can turn complicated when translated into formal rules. The drafters may not have understood what they were regulating, or the rules may be confusing or incomplete.
Third, do the problems result from bad policy? Just like skinning cats, there are many ways to implement privacy principles. Sometimes regulators and legislators make the wrong choices. These problems are the most difficult because they won't disappear with the passage of time or the issuance of better guidance.
Solving fundamental conceptual problems requires rethinking, revising rules or amending legislation.
If you are implementing privacy rules in your agency or company, keep these three categories in mind. You will increase the chance of finding the right person to complain to and the right solution if you can define a problem as transitional, interpretative or conceptual.
General complaints that the privacy rule is terrible will not help and might only make you look bad.
At the hearing I attended, one witness complained that the health privacy rule was interfering with research because patients who were informed of their rights sometimes declined to participate.
Another objected that a hospital could no longer transfer patient data to third parties without patient consent. These outcomes are exactly what the rule was intended to accomplish.
Neither witness seemed to understand anything about privacy or to care about the interests of the patients. Needless to say, they didn't score many points with the committee.
The lesson here is not that privacy rules are wonderful. Often they are not. But if you know what the rules are intended to accomplish and can articulate their shortcomings in constructive ways, you may be able to find better solutions and help others make improvements.
Learn how to complain effectively.Robert Gellman is a Washington privacy and information policy consultant. E-mail him at firstname.lastname@example.org.