Testimony before the National Committee on Vital Statistics (NCVHS), Subcommittee on Privacy and Confidentiality

Chairman Rothstein, members of the committee, thank you giving the ACLU the opportunity to testify on the law enforcement exemptions to the HIPAA regulations. My name is Chris Calabrese. I am the counsel to the American Civil Liberties Union’s Technology and Liberty Program. The ACLU is a nationwide, non-partisan organization of nearly 400,000 members dedicated to protecting the principles of liberty, freedom and equality set forth in the Bill of Rights. For more than 80 years, the ACLU has sought to preserve and strengthen privacy in all aspects of American life. Most recently we filed a lawsuit in the Florida courts on behalf of Rush Limbaugh to force the state to abide by its own laws in gaining access to his medical records.

My testimony is divided into two parts. The first part is a discussion of the six main problems that the ACLU has with the law enforcement exemptions. The second part includes both a real world example of how far law enforcement can go in violating individual patient privacy while still remaining within the boundaries of HIPAA’s provisions and some suggestions about what the Subcommittee should recommend as changes to the HIPAA regulation.

Part I

The law enforcement exemptions promulgated by HHS for HIPAA appear to establish limits on law enforcement access, but those limits are illusory and establish no meaningful legal process. They contain gaping loopholes that permit computerized medical records to be used as a vast centralized police database. Medical records of ordinary law-abiding Americans must not be treated like mug shots, fingerprints or other current databases compiled from convicted criminals.

We believe that government agents should be required to obtain judicial approval under a meaningful probable cause standard before they are granted access to a patient’s medical records in the custody of a third party such as a doctor or an insurance company. If an individual happens to keep his medical records in a desk drawer in his home, the police are required to obtain a search warrant from a neutral magistrate based on a showing of probable cause before entering the home and seizing the records. The individual’s privacy interest in those records is no less compelling because his records are stored in his doctor’s office. This type of fourth amendment-like standard enhances patient privacy and engenders trust in the doctor-patient relationship.

Of course there are occasions when the police will have a compelling need to obtain medical records. The Fourth Amendment is not a bar to police investigations, but rather balances the interests of individuals to be secure in their personal papers and effects on the one hand, and the legitimate needs of law enforcement officials on the other. The current regulations do not reflect that balance.

First, there is no requirement of judicial review. The regulations give law enforcement agencies the choice of obtaining records pursuant to a warrant or court order (both reviewed by a neutral judge), a grand jury subpoena (typically issued by a prosecutor in the name of the grand jury), or an administrative subpoena, summons or civil investigative demand – all legal instruments issued without judicial review. Naturally law enforcement agents, especially in the pre-indictment stage of an investigation, will choose the least restrictive means of obtaining records, those that do not require review by a judge or prosecutor. Thus, under these rules, law enforcement agents may simply issue written demands to doctors, hospitals and insurance companies to obtain patient records. Since police are engaged in what Justice Cardozo called the “often competitive enterprise of ferreting out crime,” Johnson v. United States, 333 U.S. 10 (1948), they cannot be expected to balance neutrally the competing goals of privacy and law enforcement.

Second , even when judicial review is sought, the legal standard under which it will be evaluated is inadequate. Under the regulations law enforcement would need to assert probable cause that the records are: (1) “relevant and material to a legitimate law enforcement inquiry”; (2) “specific and narrowly drawn as is reasonably practicable”; and (3) “de-identified information could not reasonably be used.” This standard falls short of the traditional probable cause standard (probable cause to believe that the records contain evidence of a crime) and do not call for a balancing of the interests of law enforcement and privacy. The bar is set too low.

Third , the regulations do not require that the individual whose records are about to be searched receive notice of the search and an opportunity to contest its validity. Such notice is consistent with notions of due process in our adversarial system of justice. If there is any risk that notice to the individual would lead to destruction of the records, waiver of the notice requirement could be permitted. But in an ordinary investigation an individual should receive either notice, in the case of a court order, or law enforcement should provide a warrant.

Fourth, the proposal contains an overbroad identification exception. Section 164.510(f)(2) allows for release of patient information anytime the police are trying to identify a suspect or fugitive. This overbroad exception turns all computerized medical records into a huge database through which the police may browse to seek matches for blood and other personally identifiable health traits. Nothing in this section requires that law enforcement demands be specific or narrowly drawn. Dragnet searches of this kind are currently used to search through mug shots or fingerprints (or increasingly DNA banks) of convicted criminals. But those data banks exist because criminals have a diminished expectation of privacy following conviction. In contrast, the medical records of law-abiding citizens are not – and should not become – a police database.

Fifth , the regulations contain blanket exceptions to the minimal procedural requirements applicable to most law enforcement agencies for intelligence and national security activities. Current law already provides special procedures for intelligence gathering activities, but there is no precedent in the U.S. Code for a blanket exemption from lawful procedures for agencies engaged in domestic law enforcement. Granting any law enforcement agency such carte blanche authority is entirely unjustified

Sixth , evidence obtained in violation of the legal standards in the regulation should be inadmissible at trial. HHS may not have statutory authority to mandate an exclusionary rule, since courts are not among the entities covered by the regulation pursuant to HIPAA. But there is no doubt about the authority of a court to enforce the legal requirements of the rule by excluding improperly obtained evidence, since courts have inherent authority to fashion remedies for violation of legal rules. While not legally binding, HHS should endorse this approach to enforcement in the preamble to the regulations.

Part II

The lack of appropriate privacy controls leads to disturbing and dangerous results. For almost three years an initiative named the Strategic Medical Intelligence Unit (SMI) has operated in Pittsburg, PA. This group of volunteer doctors is a pilot program that operates as a conduit between local doctors and the FBI. Their stated goal is to act as an early warning system for bioterrorist attacks. SMI doctors possess security clearance and receive regular briefings from the FBI.

Under the system, local doctors notify the SMI when they encounter a “suspicious event.” This term is completely undefined but seems to run the spectrum from unusual rashes to a loss of a limb due to explosion. The SMI then determines if the event is a potential terrorism event and refers such events to the FBI. The SMI receives one to two referrals a week and has forwarded the individually identifiable information of at least three people to the FBIPatients may or may not be told that their medical information is being forwarded to the FBI. Pennsylvania Senator Arlen Specter has stated that he will seek federal funding to expand SMI. We are mystified by the rationale for this dramatic violation of patient privacy. We can only assume SMI and the FBI believe their actions to be covered by the law enforcement or national security exemption.

It is an understatement to say that this type of information sharing has a chilling effect. An individual who knows that a doctor visit might trigger an investigation by the FBI is less likely to seek treatment to the obvious detriment of their health. No one, guilty or innocent, wants to be under law enforcement scrutiny.

This problem is exacerbated by the complete lack of standards in this case. A very limited type of similar communication is currently allowed in the case of gun shot wounds and suspected abuse. But this type of program dramatically expands reporting and turns doctors into government informants.

Further the program is completely unnecessary. The same type of information could be compiled in a deindividualized manner. The reporting of a certain number of similar symptoms would trigger a bioterrorism investigation without violating the privacy of individuals.

SMI is a perfect example of what is wrong with the law enforcement exemptions to HIPAA regulations. The state has abdicated its responsibility to balance privacy and security. Naturally in such an environment law enforcement chooses security – even if there is an equal or better alternative that respects individual rights. After all the police rightly expect government to perform public policy analysis. Their job is to catch lawbreakers with whatever tools we give them.

At minimum the HIPAA regulations must be strengthened. Medical records should only be released in the face of a warrant, or court order with notice, asserting that police have probably cause to believe the requested records contain evidence of a crime. While some provision may have to be made for national security, we believe access to records under this provision should still be subject to independent oversight. The current HIPAA regulations assure that the flimsiest security rationale trumps personal privacy. That harms patients, doctors and public health.