Big Doctor Is Watching

Dennis Scott is San Francisco's HIPAA czar.

In early April, my dentist was rooting around inside my mouth, making the terrible jokes for which he is infamous while I, as usual, laughed politely. Then he wiped his hands clean and handed me a toothbrush and a “Notice of Privacy Practices,” which he asked me to sign. I skimmed through it until I got to a part that said my medical records can be disclosed for “essential government functions,” including “law enforcement, execution of a military mission, conducting intelligence, counterintelligence, and national security activities.” My newly shining molars nearly fell out of my face.

According to the six-page privacy notice, the details of my checkered medical (and psychiatric) history are now open to people I do not trust, including my employer (note to New Times headquarters: just kidding), insurance salesmen, HMO executives, bill collectors, Walgreens clerks, steak fajita-eaters, and the spies with nests inside the Federal Building at 450 Golden Gate Ave.

Like many San Franciscans, I've expressed myself politically over the years in ways that (my suspicious mind has always assumed) might draw some measure of governmental notice. Somehow, though, it's more unsettling to think that the FBI might have a file on my weird bumps, adverse reactions, poxes, rashes, major medical events, psychic abrasions, and infected pimples, too. And it could.

As of April 14, physicians, dentists, therapists, health maintenance organizations, and insurance companies are required by federal law to tell patients that their medical records — long considered private and available to the government only if it showed a judge probable cause that a law had been violated — can be scooped up by the FBI, the CIA, state troopers, or even the local police, on the spot, as a result of a simple, oral request. The new law, called the Health Insurance Portability and Accountability Act Privacy Rule (HIPAA), is being promoted by the Bush administration as an act of privacy protection.

In important ways that have gained little publicity, however, HIPAA vastly decreases the privacy privileges traditionally afforded to medical records, and organizations on the political left and right — from the American Civil Liberties Union to the Heritage Foundation — are united in their opposition to the new law. They contend that HIPAA requires doctors to violate the Hippocratic oath, the ethical code that has governed the confidentiality of the physician-patient relationship since the days of the ancient Greeks; that it strips patients of any meaningful control over their medical records; and that it increases the investigatory powers of federal, state, and local police agencies in violation of the Constitution's prohibition against warrantless searches.

Psychiatrists are suing the federal government to limit HIPAA's reach; there are several bills pending in Congress to repeal or rewrite it. Hundreds of thousands of California retirees are trying to stop HIPAA dead in its tracks. In San Francisco, a key city official is prepared to defy any law enforcement official who comes snooping around City Hall for personal medical information without a search warrant.

At the same time, though, state officials in Sacramento have written a bill to weaken California's strong privacy laws in favor of the far more invasive law enforcement privileges of HIPAA. And until something changes on the HIPAA front, you will probably never know if police agents decide to comb through your family's intimate medical information on the basis of an unwarranted suspicion and a simple verbal request.

The foundation of medical ethics is contained in the Oath of Hippocrates, which says, in part, “All that may come to my knowledge in the exercise of my profession, which ought not to be spread abroad, I will keep secret and never reveal.” The power of the oath has kept medical records largely confidential through the centuries in societies built on slavery, feudalism, and industrial capitalism.

Our world is, of course, more complex than ancient Greece. Studies show that in the age of computerized record-keeping, as many as 150 people, including neurosurgeons, pharmacists, billing clerks, and janitors, are privy to the contents of a hospital patient's chart. Now, the Hippocratic oath may be rendered essentially meaningless by a combination of federal law and the Information Age's propensity to create ever larger medical databases for reasons of efficiency, profit, and social control.

Until the mid-1990s, federal laws on medical privacy applied only to federal agencies, intending to limit possible misuse of this sensitive information for political purposes. Still, medical records were largely presumed to be private, and that presumption was backed by state statutes and the common law traditions.

But in 1996, Congress passed the Health Insurance Portability and Accountability Act, sponsored by Sens. Edward Kennedy (D-Mass.) and Nancy Kassebaum (R-Kan.). This legislation was intended to make health insurance portable for people who changed jobs. It required the government to develop guidelines for the secure transmission of electronic medical data. It called for the creation of a national standard for protecting the privacy of personal medical records.

Responsibility for writing the details for the implementation of HIPAA fell to officials at the U.S. Department of Health and Human Services. They were intensely lobbied by hospital and medical groups, HMOs, privacy rights advocates, pharmaceutical companies, medical equipment suppliers, software manufacturers, and law enforcement agencies. In the end, the law did not fully satisfy any particular interest groups (except, perhaps, law enforcement and intelligence agencies). Most medical providers were allowed more than two years to fully comply with the regulation's labyrinth of bureaucratic requirements, which includes training a HIPAA specialist inside every medical organization and practice.

HIPAA governs the privacy activities of all professionals who transmit medical and billing data electronically — which includes just about every medical professional, as well as group health plans and companies that handle financial and billing matters for providers. It also covers networks of lawyers, accountants, consultants, and pharmacists associated with health plans and doctors. Under HIPAA, patients cannot prevent their electronic and paper records from being used by any of these groups for health delivery and payment purposes, and some direct marketing is allowed. The medical industry is expected to police itself for unauthorized uses of patient information; the penalty for noncompliance is $100 per occurrence. [page]

But controversial portions of the new law and its associated regulations allow police and intelligence agencies to obtain medical dossiers on demand, and to order medical-record custodians not to inform patients that the government has looked at their records.

Richard Campanelli, director of the Office of Civil Rights of the Department of Health and Human Services, which enforces HIPAA, says that the new law “limits access to medical records for the first time.” For example, Campanelli notes, before April 14 there were no federal laws guiding local law enforcement access to medical records. Likewise, he draws attention to nitty-gritty details of HIPAA, such as a requirement that doctors must allow patients to correct errors in their medical records, and another that computer screens must be turned away from prying eyes in the waiting room.

Clearly, though, Campanelli emphasizes portions of the new law that strengthen medical privacy in particular cases and underplays those aspects of the law that weaken medical privacy on a sweeping basis.

Robert Gellman, a Washington, D.C.-based privacy lawyer who was deeply involved in the HIPAA drafting process as a congressional staff member, points out that before HIPAA, patients routinely consented to allowing their doctor to share their medical records with colleagues and business support people. That is not the part of HIPAA that bothers him.

“The law enforcement portion of HIPAA is its single worst feature,” Gellman remarks. “[To get medical records] a government official can wave a badge and say, “I qualify under HIPAA.' There are no requirements for warrants, court orders, subpoenas, or probable cause. Anyone from a national security agency can walk into a doctor's office and say, “This is a national security issue. Turn over the record.' It would allow an HMO to hand over its entire database upon request.”

HIPAA regulates organizations that create medical records, attempting to provide rules for all categories of possible disclosure of medical information. In most situations, HIPAA gives the patient zero control over who sees his records; medical-record holders, on the other hand, have tremendous leeway to allow government authorities to search and seize doctors' records for research, public health, criminal investigation, and intelligence-gathering purposes.

For years, the FBI and other federal agencies have been performing end runs around federal laws that prohibited them from spying on Americans by purchasing personal information from consumer information databanks. Huge databases of medical information — obtained from divorce filings, police reports, DMV records, bank account statements, and credit card charges for purchases of prosthetic limbs, coronary drugs, birth control devices, enemas, and so on — are gathered and stored by data aggregation firms that are in the business of selling consumer information. One such firm, ChoicePoint, has dozens of service contracts with federal agencies, including the FBI and the Department of Homeland Security, for access to the company's trove of 17 billion records.

But a wide variety of legal scholars and medical professionals interviewed for this story say the enhanced powers granted to law enforcement by HIPAA herald a fundamental change in the body of law governing the use and disclosure of medical and psychiatric records. One part of HIPAA empowers local police, sheriffs, county and city attorneys, district attorneys, state attorneys general, and federal crime-stoppers to obtain medical records under weakened standards. Another section similarly empowers the intelligence community, including the National Security Agency, the FBI, the CIA, the State Department, the Department of the Treasury, the Department of Energy, and “the intelligence elements of the Army, Navy, Air Force, Marine Corps … and other elements of any other department or agency as may be designated by the President.”

Until and unless the Supreme Court overturns HIPAA's privacy provisions, the new law will allow law enforcement and national security agencies to ask medical providers (including psychiatrists) for electronic or paper records. If they decline to turn them over, citing the Hippocratic oath as an excuse, officials can serve the providers with “administrative subpoenas,” compelling them to hand over the records or face a jail sentence. Under HIPAA, an administrative subpoena may be served orally.

In 2001, United States attorneys' offices issued 2,102 administrative subpoenas for the FBI “to obtain [medical] records in major U.S. cities from various entities, such as hospitals, nursing homes and individual practitioners,” according to a recent U.S. Department of Justice report to Congress. Unlike much evidence uncovered by search warrants, court orders, and grand jury subpoenas, the information gathered through administrative subpoena can be widely circulated among government agencies.

For example, under HIPAA, the bulk of a mental health patient's file might be obtained by the FBI, and then be turned over to the CIA — which might decide to pass it on to the White House.

Given the known activities of J. Edgar Hoover and Richard Nixon, one does not necessarily need a conspiratorial mind to imagine possible government misuse of personal information obtained via a HIPAA administrative subpoena. What if a Democrat from a small flyover state who was rumored to be a womanizer happened to be running for president, and the FBI happened to find out that he'd contracted syphilis during a misspent youth? What if you are a vocal critic of the district attorney, and he lets you know that he knows you are addicted to pain medicine? What if you develop a heart murmur and, suddenly, the promotion you thought was in the bag goes to someone else?

“Under the Bush administration, we have lost a great deal of personal freedom, and most people are not even aware of it,” says Robert Moffit, a deputy assistant secretary at the Department of Health and Human Services during the Reagan administration who now is director of the Center for Health Policy Studies at the Heritage Foundation in Washington. The right-leaning Heritage Foundation generally objects to government regulation of the health care market, but the Republican-dominated think tank particularly dislikes HIPAA. Several years ago, it joined forces with its natural-born enemy, the American Civil Liberties Union, to lobby against the regulations. Both organizations claim that the new rules undermine patient confidentiality and violate the Fourth Amendment by allowing warrantless searches. [page]

Ann Brick, an ACLU staff attorney based in San Francisco, is concerned that national security agencies will use HIPAA and the Patriot Act to search combined medical and consumer databases for particular identifiers, such as “Arab AND diabetes AND airplane mechanic.” It goes without saying that the search could be changed to have political parameters, “Democrat AND bipolar,” for example.

Actually, HIPAA is more law enforcement friendly in regard to medical records than the oft-criticized Patriot Act, which, at least, requires a judge to sign a court order every time that the FBI or its national security cousins want to search an HMO database, or take a peek at your gynecology file. Unlike the Patriot Act's limited due-process provisions, HIPAA's criteria for issuing subpoenas do not even require judicial review; law enforcers simply have to assert that a medical record or database is “relevant” to an investigation. And HIPAA is slated to outlive the medical-records portion of the Patriot Act, designed to “sunset” in 2005 unless Congress gives it a second life.

Ohio State University law professor Peter Swire was the White House coordinator for medical privacy rules in the Clinton years, and he played an instrumental role in the writing of the HIPAA Privacy Rule. Swire says that, under HIPAA, medical records are not protected by the Fourth Amendment's probable-cause requirement because the Supreme Court has ruled that a person loses “a reasonable expectation of privacy” when his papers (or records) are not in his home. “Once you have voluntarily given over your records to doctor or a bank, they can decide to turn over your record to the police,” he says. “It's as if you have given a key to your house to a neighbor.”

But Daniel Solove, an associate professor at Seton Hall Law School in New Jersey who has written extensively in national legal journals about Fourth Amendment protections of electronic records, says it is unreasonable to exclude medical records from constitutional protection against unwarranted government search or seizure. “That HIPAA allows law enforcement to take action on a mere administrative subpoena is unconstitutional,” Solove says. “For centuries, it has been reasonable for people to expect their doctors to keep their intimate confidences under the Hippocratic oath and the common law.”

In 1971, as the Vietnam War raged, a Defense Department analyst named Daniel Ellsberg gave the New York Times 47 volumes of secret documents — the Pentagon Papers — showing that American politicians had been systematically lying to the public about events in Vietnam for decades. President Richard Nixon responded by authorizing his aides to burglarize the office of Ellsberg's psychiatrist, in an attempt to discredit the DOD analyst. The aides eventually went to prison, Nixon resigned in disgrace, and Congress passed the Privacy Act of 1974, which greatly limited the government's ability to acquire or to use personal information without a court order.

HIPAA has effectively unwritten the Privacy Act in regard to medical records, and America's psychiatrists are leading the charge against it. “An ethical physician would decline to release information to anyone without patient consent,” says Dr. Paul S. Appelbaum, outgoing president of the American Psychiatric Association.

“The government can issue regulations, but it can't change the fundamental ethics that the medical profession has held for several thousand years. We are concerned by the [HIPAA Privacy Rule] provision that would allow for the release of medical information anytime the police are trying to identify a suspect. This broad exception would allow computerized medical records to be sifted through by police to seek matches for blood or other health traits.”

Although the Supreme Court has found that psychiatric records enjoy the privilege of physician-patient confidentiality, HIPAA extends that privilege only to the actual notes in which a mental health professional records “the contents of conversation during a private counseling session,” and only if those notes are kept separately, i.e., not sprinkled about in the rest of a patient's file. HIPAA does not recognize the existence of a psychiatrist-patient privilege (which is similar to the lawyer-client privilege) for “medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.”

This is a shattering change in the classical protections extended to mental health information, says Appelbaum. “For many years, we could say to the police, the FBI, the Secret Service that we don't release information without patient consent or a court order. Law enforcement learned not to ask for such records.

“HIPAA makes it much more likely that doctors and medical facilities will be approached by police and intelligence agencies, and now we have less ammunition to use in the battle to protect patient confidence. The use of administrative subpoenas is a profound change. Police can search medical records without ever having to step before a judge to demonstrate the reasonableness of their request.”

Recently, the American Psychoanalytic Association (a national group of 3,500 psychoanalysts not to be conflated with the larger American Psychiatric Association) joined with the Congress of California Seniors, a nonprofit interest group based in Sacramento, in a lawsuit against the federal government. The lawsuit says that HIPAA destroys constitutional protections against governmental abuse of its police powers while it undermines public trust in the integrity of the physician-patient relationship.

Bill Powers of the Congress of California Seniors says that his group's 600,000 retirees are afraid that improper disclosures of their medical and psychiatric records will negatively affect their chances to get jobs, health insurance, and loans. “Under the guise of protecting our privacy rights,” says Powers, “the Bush administration is imposing on our rights.”


On the congressional front, conservative Texas Republican Ron Paul is sponsoring a bill in the House of Representatives to repeal HIPAA. Liberal Democrats are backing a brace of bills in the House and the Senate that would make some changes in HIPAA, but that appear to leave the government's nearly unlimited power of intrusion into medical files largely intact.

Until and unless legislation or a court decision significantly changes HIPAA's privacy rules, their use will probably differ from state to state. HIPAA says state laws that are more protective of privacy will trump HIPAA regulations that have weaker privacy provisions. But deciding which law is more protective can be a tricky judgment call.

Should Californians fear that state troopers or local police will use administrative subpoenas to grab their medical records? The state Constitution has a “right to privacy” enshrined in its first paragraph; it requires that the government show probable cause for the search and seizure of personal papers. And in years past, the Legislature has passed strong privacy protections. For instance, California has a statute that says state agencies cannot disclose medical data that identify individual patients without being served with court-approved search warrants.

Oddly, the state government seems intent on weakening those protections.

The California Office of HIPAA Compliance (CALOHI), which is part of the state Health and Human Services Agency, recently spent $2 million comparing hundreds of state laws to HIPAA. The office hasn't completed its work, but state lawyers have concluded that the strong search powers that HIPAA grants to law enforcement seem to overrule California laws. These lawyers wrote a bill that would bring state laws into conformity with HIPAA. The bill is sponsored by the Senate Committee on Insurance, chaired by state Sen. Jackie Speier (D-Hillsborough).

Richard Turkington, a professor at Villanova University School of Law in Pennsylvania, is a national expert in privacy and constitutional law and HIPAA. He reviewed CALOHI's work at the request of SF Weekly and subsequently said he was surprised that the state did not address the privacy and search and seizure protections written directly into the California Constitution, which, he says, “give greater privacy rights than HIPAA.”

“The federal government made the landmark choice not to write strong Fourth Amendment protection into HIPAA,” Turkington observes, “but left the states with the discretion to do so. The practical effect of Speier's bill would be to nullify current California legislation that provides more protection for medical records than HIPAA.”

Dana Mitchell, legal counsel to the California state Legislature, agrees with Turkington that Speier's bill allows HIPAA to swallow up the more protective state laws. “We should rewrite it,” she says, adding that she hopes someone will light a fire under the Legislature to do so.

A spokesman for Speier, Michael Ashcraft, says that the bill is not likely to move beyond the confines of the Senate Committee on Insurance. “The purpose of the bill was to clarify which law to follow, state or federal, in regard to medical records,” Ashcraft says. “But CALOHI could not come up with language that was not controversial.” He declines to say what position Speier takes on the possibility of HIPAA prevailing over stronger state privacy laws.

Closer to home, the dangers inherent in HIPAA's dilution of probable-cause standards have not escaped Dennis Scott, the chief HIPAA compliance officer for the city of San Francisco. If the police or federal agents ask San Francisco Department of Health employees for patient medical records, city workers are instructed to contact Scott, who favors “giving up medical records only with a judicially approved court order, as opposed to the wave of a badge.”

Loren and Ron Morgan live in Bernal Heights — the San Francisco neighborhood that feels like a small town — with their three teenage daughters, Reed, Maud, and Phoebe. Ron says that he got a HIPAA notice at his doctor's office recently. “I thought it was a formality, didn't bother to read much of it. I saw the words “due process' and figured that it protected us, so I signed.”

Later, Ron and Loren read the small print. “This makes me mad,” Loren says. “What do they want with my children's files, our psychotherapy records?”

“I always thought our records were private,” Ron says, swearing softly.

“This makes me want to leave the country,” exclaims Loren.

As America grows progressively more HIPAA-aware, millions of people may begin to have similar reservations. Because of a Catch-22 literally written into HIPAA, however, there will be very little they can do to challenge government requests for their medical records.

Under HIPAA, doctors, HMOs, and other medical professionals are prohibited from telling the Morgans (and nearly 300 million other Americans) when their medical records have been requested or seized via administrative subpoena, or simply handed over voluntarily by HMOs eager to curry favor with law enforcers and secret agents. Unless the feds decide to tell them, they will never know what the government knows about their medical and psychiatric history.

Prozac, anyone?

Lord of the Files

The government giveth standards for electronic medical records so the government can taketh away the records later

The Health Insurance Portability and Accountability Act is not only intended to govern who has access to medical records. It also sets up generalized standards to govern how people store and transmit electronic records. The government estimates that the medical industry will spend $17.5 billion on equipment and software to make HIPAA electronic security standards work. As a result, during a recent cybersecurity trade show at the Moscone Center, HIPAA was more than a hot topic of discussion.

The usually invisible U.S. National Security Agency, which monitors real-time electronic communication worldwide, and the Department of Defense, which has numerous intelligence agencies under its umbrella, were at the conference. The two agencies have partnered with dozens of private-sector firms, including the Booz Allen Hamilton consulting firm and American Express, as well as the Newspaper Association of America (a trade group for newspaper publishers), to develop technical specifications for software products that will make the medical industry's computer systems “HIPAA-compliant” by the spring of 2005. [page]

Several speakers at the security conference were concerned, however, about the potentially Orwellian effect of government micromanagement of data standards. Those standards might in some sense enhance medical privacy; they could also allow the government to access and use medical records more easily, because the government will have dictated the digital parameters under which the records must be kept.

“Before 9/11, we concentrated on how to protect consumer information,” said Lance Hayden, business development manager for Cisco Systems Inc. “Now it's about how to get better surveillance. It's a complete shift in focus.

“The feds are driving the development of computer security from Echelon [the NSA program that listens to electronic communications worldwide] to HIPAA. The government is trying to pull together disparate systems of data sources and mine it for patterns and intelligence.”

As a way of explaining, Hayden drew a line to represent what he calls a “continuum of surveillance.” Post-Watergate laws, such as the Privacy Act of 1974, were designed to restrict the government's ability to gather personal information; they lie at one end of the line. “At the other extreme from the Privacy Act,” Hayden said, “is the “panoptican' state, the total surveillance society. HIPAA falls somewhere in between — it is the government saying, “We will monitor you.'”

Because the U.S. government sets many computer security standards and is the single biggest buyer of computer goods, the tech sector is, quite naturally, following the government's lead and money, and Cisco is no exception. The San Jose-based company is offering firewalls, encryption programs, and consulting services tailored to meet the HIPAA standards. Booz Allen Hamilton, headquartered in McLean, Va., was recently awarded a $3 million contract to train the U.S. military's 130,000 health care providers in HIPAA compliance. And the Bay Area-based Sybase Inc., which sells Patriot Act compliance software that monitors bank customers' transactions in real time for suspicious patterns, has just rolled out HIPAA Studio, a suite of medical-records software that, presumably, meets new NSA/DOD-developed security standards.

As Sybase's trademarked motto puts it: Everything Works Better When Everything Works Together.


View Comments