Big Doctor Is Watching

The California Office of HIPAA Compliance (CALOHI), which is part of the state Health and Human Services Agency, recently spent $2 million comparing hundreds of state laws to HIPAA. The office hasn't completed its work, but state lawyers have concluded that the strong search powers that HIPAA grants to law enforcement seem to overrule California laws. These lawyers wrote a bill that would bring state laws into conformity with HIPAA. The bill is sponsored by the Senate Committee on Insurance, chaired by state Sen. Jackie Speier (D-Hillsborough).

Richard Turkington, a professor at Villanova University School of Law in Pennsylvania, is a national expert in privacy and constitutional law and HIPAA. He reviewed CALOHI's work at the request of SF Weekly and subsequently said he was surprised that the state did not address the privacy and search and seizure protections written directly into the California Constitution, which, he says, "give greater privacy rights than HIPAA."

"The federal government made the landmark choice not to write strong Fourth Amendment protection into HIPAA," Turkington observes, "but left the states with the discretion to do so. The practical effect of Speier's bill would be to nullify current California legislation that provides more protection for medical records than HIPAA."

Dana Mitchell, legal counsel to the California state Legislature, agrees with Turkington that Speier's bill allows HIPAA to swallow up the more protective state laws. "We should rewrite it," she says, adding that she hopes someone will light a fire under the Legislature to do so.

A spokesman for Speier, Michael Ashcraft, says that the bill is not likely to move beyond the confines of the Senate Committee on Insurance. "The purpose of the bill was to clarify which law to follow, state or federal, in regard to medical records," Ashcraft says. "But CALOHI could not come up with language that was not controversial." He declines to say what position Speier takes on the possibility of HIPAA prevailing over stronger state privacy laws.

Closer to home, the dangers inherent in HIPAA's dilution of probable-cause standards have not escaped Dennis Scott, the chief HIPAA compliance officer for the city of San Francisco. If the police or federal agents ask San Francisco Department of Health employees for patient medical records, city workers are instructed to contact Scott, who favors "giving up medical records only with a judicially approved court order, as opposed to the wave of a badge."

---

Loren and Ron Morgan live in Bernal Heights -- the San Francisco neighborhood that feels like a small town -- with their three teenage daughters, Reed, Maud, and Phoebe. Ron says that he got a HIPAA notice at his doctor's office recently. "I thought it was a formality, didn't bother to read much of it. I saw the words "due process' and figured that it protected us, so I signed."

Later, Ron and Loren read the small print. "This makes me mad," Loren says. "What do they want with my children's files, our psychotherapy records?"

"I always thought our records were private," Ron says, swearing softly.

"This makes me want to leave the country," exclaims Loren.

As America grows progressively more HIPAA-aware, millions of people may begin to have similar reservations. Because of a Catch-22 literally written into HIPAA, however, there will be very little they can do to challenge government requests for their medical records.

Under HIPAA, doctors, HMOs, and other medical professionals are prohibited from telling the Morgans (and nearly 300 million other Americans) when their medical records have been requested or seized via administrative subpoena, or simply handed over voluntarily by HMOs eager to curry favor with law enforcers and secret agents. Unless the feds decide to tell them, they will never know what the government knows about their medical and psychiatric history.

Prozac, anyone?

---

Lord of the Files

The government giveth standards for electronic medical records so the government can taketh away the records later

The Health Insurance Portability and Accountability Act is not only intended to govern who has access to medical records. It also sets up generalized standards to govern how people store and transmit electronic records. The government estimates that the medical industry will spend $17.5 billion on equipment and software to make HIPAA electronic security standards work. As a result, during a recent cybersecurity trade show at the Moscone Center, HIPAA was more than a hot topic of discussion.

The usually invisible U.S. National Security Agency, which monitors real-time electronic communication worldwide, and the Department of Defense, which has numerous intelligence agencies under its umbrella, were at the conference. The two agencies have partnered with dozens of private-sector firms, including the Booz Allen Hamilton consulting firm and American Express, as well as the Newspaper Association of America (a trade group for newspaper publishers), to develop technical specifications for software products that will make the medical industry's computer systems "HIPAA-compliant" by the spring of 2005.