Commentary

Prying Eyes: The End of Medical Privacy

This article was published in FOX News Online, Jan. 22, 2003.

So you’ve finally worked up the courage to whisper to your doctor an embarrassing fact about your medical condition, revealing your innermost concerns.

Guess what? You also may have just whispered your secret to countless unknown bureaucrats and industry operatives, and there’s nothing you can do about it.

Don’t want to believe it? Then you’d better not read any further.

The truth is that the federal government already has asserted virtually unlimited discretionary power to examine our personal medical records — without a court order, without a warrant based on probable cause, without any judicial process whatsoever. Law-abiding citizens are the predominant targets and most likely victims of this unprecedented snooping by the U.S. government.

This assault on our medical privacy is accelerating. In August 2002, the executive branch weakened the federal government’s already flawed medical privacy regulations. In June 2002, a U.S. district court judge dismissed a well-founded constitutional challenge to the medical privacy rules. Finally, leaving little doubt about its endgame, the federal government revealed in fall 2002 that its planned “Total Information Awareness” program is targeting, among other things, medical information about all of us.

We cannot take much comfort from the so-called medical “privacy” regulations spawned by the 1996 Health Insurance Portability and Accountability Act. Lest we forget, the perceived need for the regulations arose when the federal government itself jeopardized our medical privacy by mandating standardized, easily transmitted electronic databases of personal medical information nationwide. Federal officials eagerly developed data formats and codes to track everything from your diabetes to your medications and your last menstrual period.

Unfortunately, the regulations purported to shield this cornucopia of deeply personal information emerged as anti-privacy regulations. Finalized by the Clinton administration in December 2000 and adopted by the Bush administration in April 2001, the regulations utterly failed to protect our medical records from the prying eyes of government officials and others.

For example, health care providers covered by these rules “must permit access” by the secretary of Health and Human Services to the covered entity’s “facilities, books, records, accounts, and other sources of information, including protected health information.” That means your individual medical records. If the HHS secretary so demands, the physician or other covered entity “must permit access by the secretary at any time and without notice.” In a heartbeat your medical records thus may be put in the hands of federal officials, with no judicial process required.

Last August the Bush administration further weakened the HIPAA medical privacy rules. As a result, today patient consent is not required for disclosures of your personal medical information by covered entities in connection with medical treatment, payment or health care operations. Although patient authorization is required in certain other situations, a laundry list of over-broad exceptions retained from the original rules largely guts the authorization requirement.

For example, uses and disclosures of personal medical information for “health oversight activities” do not require patient authorization. Moreover, HIPAA does not authorize effective legal restraints on redisclosure of our medical information once it is given to a third party such as a business associate of a health care provider. And the HHS secretary’s unlimited discretionary authority to peruse our medical records remains unchanged.

In August 2001, the Association of American Physicians and Surgeons, Rep. Ron Paul, R-Texas, and other plaintiffs brought a lawsuit challenging the original medical privacy regulations based in part on the First, Fourth and 10th amendments to the U.S. Constitution. The case is AAPS et al. v. U.S. Dept. of Health and Human Services, et al.

Plaintiffs there alleged that, in violation of the Fourth Amendment, the regulations “provide the government with broad access to highly personal medical records of patients, without a warrant.” They challenged as violative of the First Amendment “the chilling effect of the Privacy Regulations on patient-physician communications” and the authorization of “governmental access to virtually all patient-physician communications without consent, a warrant, or a compelling state interest.”

The AAPS further argued that the regulations exceeded the authority granted to the federal government by the Constitution’s interstate commerce clause, thus “violat[ing] the Tenth Amendment to the extent they govern purely intrastate activities by physicians in using and maintaining medical records for patients.”

Nonetheless, on June 14, 2002, U.S. District Court Judge Sim Lake dismissed the plaintiffs” constitutional and statutory claims. Despite specific injuries cited by the plaintiffs, the court held that the plaintiffs’ First and Fourth Amendment claims were not “ripe” for judicial decision and that “plaintiffs lack standing to pursue these claims,” because “plaintiffs have suffered no actual or imminent injury due to enforcement of the Privacy Rule.” The case is now on appeal to the U.S. 5th Circuit Court of Appeals.

But the coup de grace to our medical privacy apparently may soon be delivered by the federal government’s Total Information Awareness program, headed by John Poindexter and developed under the Pentagon’s Defense Advanced Research Projects Agency (DARPA) umbrella. Many now know the broad outlines of TIA, the Orwellian plan by the federal government to develop broad, interconnected electronic databases about virtually every aspect of the lives of law-abiding Americans.

However, many do not know that — in addition to financial, education, travel, veterinary (yes, veterinary), country entry, transportation, housing, communication, and other types of data — the Total Information Awareness program is targeting personal medical information. It is specifically listed as key “transactional data” flowing into the “automated virtual data repositories” described on the Total Information Awareness system Web site.

Of course, this is said to be for the purpose of catching terrorists. But one must ask why the federal government continues to shun more focused efforts to thwart terrorists while so fervently seeking to scrutinize the personal activities of even the most honorable among us.

Today, a law-abiding citizen’s only opportunity to keep his or her medical information out of government hands is to find physicians who are opting out of the standardized electronic database system. To opt out, physicians must avoid transmitting any health information electronically in connection with transactions covered by the regulations, thereby qualifying for the “country doctor” exception to the federal database requirements. Those who limit their practice in this way are not considered to be “covered entities” and thus are not subject to the “privacy” regulations.

But today’s brightest hope regarding medical privacy is the ongoing AAPS lawsuit against the U.S. Department of Health and Human Services. Let us hope that the 5th Circuit Court of Appeals gets it right.

Charlotte A. Twight is an adjunct scholar with the Cato Institute and the author of “Dependent on D.C.: The Rise of Federal Control over the Lives of Ordinary Americans” (Palgrave/St. Martin’s Press, January 2002).