Prying Eyes: The End of Medical Privacy
Tuesday,
January 21, 2003
By Charlotte Twight
So you've finally worked up the courage to whisper to your doctor an
embarrassing fact about your medical condition, revealing your innermost
concerns.
Guess what? You also may have just whispered your secret to countless
unknown bureaucrats and industry operatives, and there’s nothing you can
do about it.
Don’t want to believe it? Then you’d better not read any further.
The truth is that the federal government already has asserted virtually
unlimited discretionary power to examine our personal medical records --
without a court order, without a warrant based on probable cause,
without any judicial process whatsoever. Law-abiding citizens are the
predominant targets and most likely victims of this unprecedented
snooping by the U.S. government.
This assault on our medical privacy is accelerating. In August 2002, the
executive branch weakened the federal government’s already flawed
medical privacy regulations. In June 2002, a U.S. district court judge
dismissed a well-founded constitutional challenge to the medical privacy
rules. Finally, leaving little doubt about its endgame, the federal
government revealed in fall 2002 that its planned "Total Information
Awareness" program is targeting, among other things, medical information
about all of us.
We cannot take much comfort from the so-called medical "privacy"
regulations spawned by the 1996 Health Insurance Portability and
Accountability Act. Lest we forget, the perceived need for the
regulations arose when the federal government itself jeopardized our
medical privacy by mandating standardized, easily transmitted electronic
databases of personal medical information nationwide. Federal officials
eagerly developed data formats and codes to track everything from your
diabetes to your medications and your last menstrual period.
Unfortunately, the regulations purported to shield this cornucopia of
deeply personal information emerged as anti-privacy regulations.
Finalized by the Clinton administration in December 2000 and adopted by
the Bush administration in April 2001, the regulations utterly failed to
protect our medical records from the prying eyes of government officials
and others.
For example, health care providers covered by these rules "must permit
access" by the secretary of Health and Human Services to the covered
entity's "facilities, books, records, accounts, and other sources of
information, including protected health information." That means your
individual medical records. If the HHS secretary so demands, the
physician or other covered entity "must permit access by the secretary
at any time and without notice." In a heartbeat your medical records
thus may be put in the hands of federal officials, with no judicial
process required.
Last August the Bush administration further weakened the HIPAA medical
privacy rules. As a result, today patient consent is not required for
disclosures of your personal medical information by covered entities in
connection with medical treatment, payment or health care operations.
Although patient authorization is required in certain other situations,
a laundry list of over-broad exceptions retained from the original rules
largely guts the authorization requirement.
For example, uses and disclosures of personal medical information for
"health oversight activities" do not require patient authorization.
Moreover, HIPAA does not authorize effective legal restraints on
redisclosure of our medical information once it is given to a third
party such as a business associate of a health care provider. And the
HHS secretary's unlimited discretionary authority to peruse our medical
records remains unchanged.
In August 2001, the Association of American Physicians and Surgeons,
Rep. Ron Paul, R-Texas, and other plaintiffs brought a lawsuit
challenging the original medical privacy regulations based in part on
the First, Fourth and 10th amendments to the U.S. Constitution. The case
is AAPS et al. v. U.S. Dept. of Health and Human Services, et al.
Plaintiffs there alleged that, in violation of the Fourth Amendment, the
regulations "provide the government with broad access to highly personal
medical records of patients, without a warrant." They challenged as
violative of the First Amendment "the chilling effect of the Privacy
Regulations on patient-physician communications" and the authorization
of "governmental access to virtually all patient-physician
communications without consent, a warrant, or a compelling state
interest."
The AAPS further argued that the regulations exceeded the authority
granted to the federal government by the Constitution's interstate
commerce clause, thus "violat[ing] the Tenth Amendment to the extent
they govern purely intrastate activities by physicians in using and
maintaining medical records for patients."
Nonetheless, on June 14, 2002, U.S. District Court Judge Sim Lake
dismissed the plaintiffs" constitutional and statutory claims. Despite
specific injuries cited by the plaintiffs, the court held that the
plaintiffs' First and Fourth Amendment claims were not "ripe" for
judicial decision and that "plaintiffs lack standing to pursue these
claims," because "plaintiffs have suffered no actual or imminent injury
due to enforcement of the Privacy Rule." The case is now on appeal to
the U.S. 5th Circuit Court of Appeals.
But the coup de grace to our medical privacy apparently may soon be
delivered by the federal government's Total Information Awareness
program, headed by John Poindexter and developed under the Pentagon's
Defense Advanced Research Projects Agency (DARPA) umbrella. Many now
know the broad outlines of TIA, the Orwellian plan by the federal
government to develop broad, interconnected electronic databases about
virtually every aspect of the lives of law-abiding Americans.
However, many do not know that -- in addition to financial, education,
travel, veterinary (yes, veterinary), country entry, transportation,
housing, communication, and other types of data -- the Total Information
Awareness program is targeting personal medical information. It is
specifically listed as key "transactional data" flowing into the
"automated virtual data repositories" described on the Total Information
Awareness system Web site
http://www.darpa.mil/iao/TIASystems.htm .
Of course, this is said to be for the purpose of catching terrorists.
But one must ask why the federal government continues to shun more
focused efforts to thwart terrorists while so fervently seeking to
scrutinize the personal activities of even the most honorable among us.
Today, a law-abiding citizen's only opportunity to keep his or her
medical information out of government hands is to find physicians who
are opting out of the standardized electronic database system. To opt
out, physicians must avoid transmitting any health information
electronically in connection with transactions covered by the
regulations, thereby qualifying for the "country doctor" exception to
the federal database requirements. Those who limit their practice in
this way are not considered to be "covered entities" and thus are not
subject to the "privacy" regulations.
But today's brightest hope regarding medical privacy is the ongoing AAPS
lawsuit against the U.S. Department of Health and Human Services. Let us
hope that the 5th Circuit Court of Appeals gets it right.