By Erin Sherbert
By Erin Sherbert
By Leif Haven
By Erin Sherbert
By Chris Roberts
By Kate Conger
By Brian Rinker
By Rachel Swan
HIPAA governs the privacy activities of all professionals who transmit medical and billing data electronically -- which includes just about every medical professional, as well as group health plans and companies that handle financial and billing matters for providers. It also covers networks of lawyers, accountants, consultants, and pharmacists associated with health plans and doctors. Under HIPAA, patients cannot prevent their electronic and paper records from being used by any of these groups for health delivery and payment purposes, and some direct marketing is allowed. The medical industry is expected to police itself for unauthorized uses of patient information; the penalty for noncompliance is $100 per occurrence.
But controversial portions of the new law and its associated regulations allow police and intelligence agencies to obtain medical dossiers on demand, and to order medical-record custodians not to inform patients that the government has looked at their records.
Richard Campanelli, director of the Office of Civil Rights of the Department of Health and Human Services, which enforces HIPAA, says that the new law "limits access to medical records for the first time." For example, Campanelli notes, before April 14 there were no federal laws guiding local law enforcement access to medical records. Likewise, he draws attention to nitty-gritty details of HIPAA, such as a requirement that doctors must allow patients to correct errors in their medical records, and another that computer screens must be turned away from prying eyes in the waiting room.
Clearly, though, Campanelli emphasizes portions of the new law that strengthen medical privacy in particular cases and underplays those aspects of the law that weaken medical privacy on a sweeping basis.
Robert Gellman, a Washington, D.C.-based privacy lawyer who was deeply involved in the HIPAA drafting process as a congressional staff member, points out that before HIPAA, patients routinely consented to allowing their doctor to share their medical records with colleagues and business support people. That is not the part of HIPAA that bothers him.
"The law enforcement portion of HIPAA is its single worst feature," Gellman remarks. "[To get medical records] a government official can wave a badge and say, "I qualify under HIPAA.' There are no requirements for warrants, court orders, subpoenas, or probable cause. Anyone from a national security agency can walk into a doctor's office and say, "This is a national security issue. Turn over the record.' It would allow an HMO to hand over its entire database upon request."
HIPAA regulates organizations that create medical records, attempting to provide rules for all categories of possible disclosure of medical information. In most situations, HIPAA gives the patient zero control over who sees his records; medical-record holders, on the other hand, have tremendous leeway to allow government authorities to search and seize doctors' records for research, public health, criminal investigation, and intelligence-gathering purposes.
For years, the FBI and other federal agencies have been performing end runs around federal laws that prohibited them from spying on Americans by purchasing personal information from consumer information databanks. Huge databases of medical information -- obtained from divorce filings, police reports, DMV records, bank account statements, and credit card charges for purchases of prosthetic limbs, coronary drugs, birth control devices, enemas, and so on -- are gathered and stored by data aggregation firms that are in the business of selling consumer information. One such firm, ChoicePoint, has dozens of service contracts with federal agencies, including the FBI and the Department of Homeland Security, for access to the company's trove of 17 billion records.
But a wide variety of legal scholars and medical professionals interviewed for this story say the enhanced powers granted to law enforcement by HIPAA herald a fundamental change in the body of law governing the use and disclosure of medical and psychiatric records. One part of HIPAA empowers local police, sheriffs, county and city attorneys, district attorneys, state attorneys general, and federal crime-stoppers to obtain medical records under weakened standards. Another section similarly empowers the intelligence community, including the National Security Agency, the FBI, the CIA, the State Department, the Department of the Treasury, the Department of Energy, and "the intelligence elements of the Army, Navy, Air Force, Marine Corps ... and other elements of any other department or agency as may be designated by the President."
Until and unless the Supreme Court overturns HIPAA's privacy provisions, the new law will allow law enforcement and national security agencies to ask medical providers (including psychiatrists) for electronic or paper records. If they decline to turn them over, citing the Hippocratic oath as an excuse, officials can serve the providers with "administrative subpoenas," compelling them to hand over the records or face a jail sentence. Under HIPAA, an administrative subpoena may be served orally.
In 2001, United States attorneys' offices issued 2,102 administrative subpoenas for the FBI "to obtain [medical] records in major U.S. cities from various entities, such as hospitals, nursing homes and individual practitioners," according to a recent U.S. Department of Justice report to Congress. Unlike much evidence uncovered by search warrants, court orders, and grand jury subpoenas, the information gathered through administrative subpoena can be widely circulated among government agencies.