The challenge of legislation lies in definitions

Here is the first problem: What kind of information should be covered by a health
privacy law? Data in a hospital record or doctor's office is clearly health information. A
health insurer processes claims that have diagnoses, procedures and prescriptions. That
sounds worthy of protection, too. So far, so good.

What other information should be included? Employers and schools obtain data about health
status, i.e., "Billy won't be in today because he has the flu." Other businesses
routinely collect health data, too. A landlord, life insurer or credit grantor might learn
something about your health.

If you participate in a frequent shopper program at a supermarket, your purchases may tell
something about your health. It is not hard to guess why someone bought a tube of
Preparation H, a diabetic meal or an allergy pill.

Other marketers maintain health files, too. Some mailing list vendors have databases with
millions of consumers by diagnosis such as arthritis, Parkinson's disease or angina.
Should these lists be included?

Your neighbors, coworkers and relatives probably know something about your health. Do we
want to establish laws for what they can do with the information they have? For that
matter, people walking down the street can observe health information such as a broken
leg, acne or a missing limb.

What is health information anyway? Is it health data that you are bald? For a 70-year-old
man, the information might be unremarkable. Not so for a 20-year-old woman. How about
fillings in your teeth? Is your race health information? Your gender? Does it matter if
the data came from a blood or genetic test rather than by observation?

No one said this would be easy. How do we write a formal definition? Keep in mind the
importance of making clear who will be subject to the law and the kind of information that
will be covered. 

You are welcome to pause here and think about how to solve this problem. Don't draft a
formal definition, just figure out a general approach. Start reading again when you are
ready, and I'll tell you my answer.

I don't think it is possible to define health information directly. But we can define what
a health care provider is. One place to start, therefore, is with patient files of health
care providers. The next step is to recognize that, from a records perspective, providing
care and paying for care are mostly indistinguishable today. So payment records must also
be covered.

By the way, defining providers and insurers is not all that easy either, but it is

Now that we have a basic concept, we can use it to expand the scope. Those who obtain
protected health information from a provider or insurer also become subject to regulation.
How do they know that they have covered data? They get a notice along with the data so
they know they have to comply with the law. 

But what about all the health information that we have identified that isn't covered by
our definition?

One answer is that you can't do everything. Expanding the scope further may create more
problems than it will solve, and so I quit at this point. The approach isn't perfect, but
it is workable, clear and addresses the heart of the problem.

 I hope you found this exercise interesting and even enlightening. Perhaps those of
you who implement legislation will now have a better appreciation for the difficulties of
making policy and drafting laws. 

Sometimes a problem is difficult, and no totally satisfactory solution is available.
Congress makes a choice and moves on to the next problem. Hundreds of other difficult
choices remain before a health privacy bill becomes law. 

Robert Gellman, former chief counsel to the House Government Operations Subcommittee
on Information, Justice, Transportation and Agriculture, is a Washington privacy and
information policy consultant. His e-mail address is

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.