Medical records and HIPAA: is it too late to protect privacy?

In this Comment, I respond to Professors James Hodge and Larry Gostin, who argue from a utilitarian perspective that the individual's private medical records should yield to communal public health needs when the benefits to public health are high and the risks to individuals are low. That is fine in clear cases such as bioterrorism, but it is not clear what the constraints would be in protecting individual privacy from a less compelling range of communal benefits. There is much to admire in the Hodge and Gostin attempt to reconcile individual privacy with communal needs. In the end, however, I do not think they offer an approach that will be easy to implement. As an alternative, I suggest that we use a modified rule of reason approach to protecting the privacy of medical records, with the default option in favor of protecting privacy as opposed to disclosure. My premise is that privacy involves fundamental values that cannot easily be subjected to a utilitarian construct. Although a balancing test is an inevitable part of the privacy debate, protecting privacy is so fundamental to the health care enterprise that it should be viewed as being at or near the top of a hierarchy of values. Private information should be disclosed only under limited circumstances.