HIPAA Passes with Limited Portability Protections While Granting Healthcare Industry Control Over Patient Data

President Clinton signs the Health Insurance Portability and Accountability Act (HIPAA), bipartisan legislation that ostensibly addresses insurance portability between jobs but creates a regulatory framework that permits extensive healthcare industry data sharing while blocking more comprehensive reform. The law’s limited portability provisions fail to address the fundamental problems of the uninsured while establishing privacy rules that primarily protect industry data practices rather than patient interests.

HIPAA’s portability provisions, sponsored by Senators Nancy Kassebaum and Edward Kennedy, address only a narrow problem: workers who change jobs losing coverage due to pre-existing condition exclusions. The law limits but does not eliminate such exclusions for people with continuous coverage, providing modest protection for a subset of the insured population while leaving the 40 million uninsured Americans unaddressed.

The health insurance industry initially opposes HIPAA but successfully shapes its final provisions. The law’s portability protections apply only to group coverage, not individual policies, maintaining insurers’ ability to underwrite and exclude individuals in the more profitable individual market. The industry blocks provisions that would have required guaranteed issue or community rating in small group markets, preserving risk selection practices that enable adverse selection against sick enrollees.

HIPAA’s privacy provisions, implemented through subsequent HHS rulemaking, create a framework that permits extensive data sharing among healthcare entities while burdening patients with complex authorization forms. The privacy rule allows covered entities to share protected health information for “treatment, payment, and healthcare operations” without patient consent, enabling the data flows that support claims processing, utilization review, and industry coordination. Patient authorization requirements apply primarily to marketing uses, protecting industry commercial practices while providing limited meaningful privacy protection.

The law establishes healthcare industry self-regulation through “business associate” agreements, allowing covered entities to share data with contractors, consultants, and vendors under contractual protections rather than direct regulatory oversight. This framework enables the growth of healthcare data analytics, marketing, and information industries while maintaining the appearance of privacy protection. HIPAA demonstrates how legislation addressing visible problems can be structured to protect industry practices while foreclosing more fundamental reform.