What sort of laws will affect health data?
It is time to take a fresh look at a tough information policy issue now at the heart of
the debate over health privacy legislation. The issue sounds simple: Should federal
privacy law pre-empt state laws?
The implications of the debate are indirectly important to managers of federal systems
containing individuals' health information. Should federal prevail, it would be more
Pre-emption is an old and familiar subject of debate. Some matters are wholly federal,
such as national defense. Some have always been locally determined, such as regulation of
attorneys. Jurisdiction can also be shared between federal and state governments, such as
in consumer protection.
But, what is the right answer for health privacy legislation? Those who favor federal
pre-emption argue that health care treatment and payment is an interstate activity today.
It is common for an individual to have a physician in one state, a hospital in another, a
mail-order pharmacy in a third, and a health insurer in a fourth.
For record-keepers, complying with different--and potentially conflicting-- state laws
may be expensive. Also, letting states regulate health records may interfere with the
standardization for electronic health care transactions that Congress mandated in the 1996
Health Insurance Portability and Accountability Act.
Because health records routinely flow from state to state, no single state law can
dictate the way in which the record may be used. Currently, states have different and
inadequate laws on health privacy, so we can't avoid the problem by assuming equality of
Another argument favoring federal preemption is the increasing use of computers and
networks to transfer health data. Electronic transmission of data increases the number of
locations where data may be maintained. Nothing prevents a hospital in Maryland from
keeping its records on a computer in South Dakota. Or, for that matter, in Sweden or
It may be impossible to determine at any given time exactly where information is
maintained. Records may travel from server to server and reside, at least temporarily, at
locations anywhere on a network. It shouldn't be surprising that the health industry
strongly supports greater federal pre-emption.
Patient and privacy advocates tend to favor a strong federal hand, but they want to
allow states to enact more-stringent health privacy laws. The Health and Human Services
Department secretary agrees. The argument against pre-emption focuses on the possibility
that an exclusive federal law might wipe out better state laws, such as those covering
AIDS disclosure, psychiatric history or genetic records.
The states themselves are always leery of federal pre-emption. They feel that they can
do a better job of meeting local needs. The states also serve as a laboratory for
experimentation with new ideas. Exclusive federal legislation eliminates the possibility
of learning from state experiences.
So what is the right answer? I offer a couple of thoughts.
First, we know that state laws on health privacy are pretty bad. They provide limited
legal protection for a small subset of health records. No state has a modern,
comprehensive health privacy law. Even some state laws for mental health records are weak.
There may not be much effective state law to preserve.
If a weak federal law passes, then state laws may indeed offer better protection. We
may need to reserve judgment for a while. Secondly, pre-emption does not have to be a
single issue with a single solution. It may make sense for a federal law to be more
preemptive in some areas--for example, encryption standards--and less pre-emptive in
others, such as restricting access by state agencies.
If we break pre-emption into components, we are more likely to find acceptable
solutions. If we only debate pre-emption at the slogan level, it will be impossible to
Don't underestimate the political force behind pre-emption fights. A bitter
disagreement over federal pre-emption dogged amendments to the Fair Credit Reporting
Act--otherwise largely agreed-to by industry and consumer groups in the early 1990s. If we
ever get a health privacy bill close to passage, it would be a shame to see it fail over a
Robert Gellman, former chief counsel to the House Government Operations Subcommittee on
Information, Justice, Transportation and Agriculture, is a Washington privacy and
information policy consultant. His e-mail address is [email protected].