As my head reels at the implications of the IRS scandal mushrooming in Washington, the IRS’s recently disclosed ability to access e-mails without warrant, the intricacy of the NSA PRISM wiretap techniques that includes their ability to acquire tech firms’ digital data, and even the Justice Department’s ability to secretly acquire telephone toll records from the Associated Press, I wonder (as a doctor) what all this means for the privacy protections afforded by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in our new era of mandated electronic medical records. Are such privacy protections credible at all?
It doesn’t seem so.
Now it seems everyone’s health data is just as vulnerable to federal review as their Google search data. This is not a small issue. We have already seen that discovering “leaks” of personal health information has produced some very handsome rewards for the feds, so it is not beyond reason to think that HIPAA might also be a funding tool for our government health care administration disguised as a beneficent effort to protect the health care data of our populace.
But even more concerning is the role the IRS scandal has for America’s health care system. After all, the Affordable Care Act is ultimately funded by the IRS by administering some 47 tax provisions. These include the right to levy a penalty against businesses and individuals who don’t provide or acquire insurance and determining how to distribute annual subsidies to 18 million people who make less than $45,000 a year and thus qualify for subsidies in buying health coverage. In addition, the agency will collect taxes on medical devices and a surtax on people making more than $200,000 a year, as well as conducting compliance audits of tax-exempt hospitals.
There aren’t many who would quibble with an argument that those with severe mental illness—specifically, individuals “who have been involuntarily committed to a mental institution, found incompetent to stand trial or not guilty by reason of insanity. or otherwise have been [legally judged] to have a severe mental condition that results in the individuals presenting a danger to themselves or others“—should not be able to purchase firearms. Right? Right.
Making that law isn’t actually the trouble (expanding background checks is, of course, a different story). It’s already law, and has been on the books for awhile. The trouble is enforcing it.
The federal government maintains the National Instant Criminal Background Check System (NICS), a database of people who are federally prohibited from purchasing guns, including felons, people convicted of domestic violence, and individuals who meet the extreme mental illness criteria above. Except:
Federal law does not require State agencies to report to the NICS the identities of individuals who are prohibited by Federal law from purchasing firearms, and not all states report complete information to the NICS.
To recap: We have federal criteria that prohibits certain individuals from buying firearms. The feds maintain a database of known individuals for background checks (which take 30 seconds, per the regulation). But states aren’t required to offer the names of “prohibitors” to the database.
I am affiliated with the institution where Dzhokhar Tsarnaev is currently hospitalized. I am friends with people who have treated him. I’m trying to stay away from those people; I would be unable to help asking them about him. They might be unable to help talking about him. There has been a flurry of emails and red-letter warnings cautioning people here not to talk about Mr. Tsarnaev or look him up on the EMR (Electronic Medical Record) system. Despite this there have been leaks of information and photos from various sources. It is virtually impossible to keep people from asking about him and talking about him. Curiosity is human nature. When human nature comes up against morals and laws, human nature will win a good percentage of the time. The question is: given what he has done, does this 19-year-old still have his right to privacy?
The answer, of course, is yes. The American Medical Association includes patient confidentiality in it’s ethical guidelines:
“…the purpose of a physicians ethical duty to maintain patient confidentiality is to allow the patient to feel free to make a full and frank disclosure of information…with the knowledge that the physician will protect the confidential nature of the information disclosed.”
Threre are legal guidelines as well, most notably with the Health Insurance Portability and Accountability Act, or HIPAA. This law was originally passed in 1996 to improve the efficiency and effectiveness of the health care system, allow people to switch jobs without losing their health insurance, and impose some rules on electronic medical information. Congress incorporated into HIPAA provisions that mandate the adoption of the Federal privacy protections for health information. The “simplified” administrative document for the privacy and security portions of HIPAA is 80 pages long. Basically your health information cannot be shared with ANYONE. Of course, there are exceptions to HIPAA. Continue reading…
I’m sure you get a lot of hate mail, especially from folks in my profession, so when you got this letter from me you probably assumed it was more of the same. Let me reassure you: I am not one of those docs. I do think patient privacy is important, and actually found you quite useful when facing unwanted probing questions from family members. I believe the only way for patients to really open up to docs like me is to have a culture of respect for privacy, and you are a large part of that trust I can enjoy. Yeah, there was trust before you were around, but that was before the internet, and before people used words like “social media,” and “data mining.”
But there have been things done in your name that I’ve recently come in contact with that make me conclude that either A: you are very much misunderstood, or B: you have a really dark side.
Today I got pretty depressed. I saw a link that 13 tech companies were funding a seminar put on by Deb Peel’s Patients Privacy Rights.org (and no I’m not helping with a link) It’s a big pity that sensible companies have been pressured into funding that organization and worse that somehow despite the gibberish Peel has spoken in so many places she’s accepted as being the main face of consumer concerns about privacy. Of course I’ve had my say about her in the past. However I was a little heartened by this Milt Freudenheim NY Times article which after decrying the “epidemic” of personal health information violations had both David Brailer and Wes Rishel basically saying, 1) yes there will be breaches, 2) no, that’s not a reason not to go electronic and c) we need a system that bans the illegitimate use of the data–rather than punishes the accidental breach. And no Deb Peel in sight. Well done NYT.
Today the Supreme Court will hear oral arguments in IMS Health v. Sorrell. The case pits medical data giant IMS Health (and some other plaintiffs) against the state of Vermont, which restricted the distribution of certain “physician-identified” medical data if the doctors who generated the data failed to affirmatively permit its distribution.* I have contributed to an amicus brief submitted on behalf of the New England Journal of Medicine regarding the case, and I agree with the views expressed by brief co-author David Orentlicher in his excellent article Prescription Data Mining and the Protection of Patients’ Interests. I think he, Sean Flynn, and Kevin Outterson have, in various venues, made a compelling case for Vermont’s restrictions. But I think it is easy to “miss the forest for the trees” in this complex case, and want to make some points below about its stakes.**
Privacy Promotes Freedom of Expression
Privacy has repeatedly been subordinated to other, competing values. Priscilla Regan chronicles how efficiency has trumped privacy in U.S. legislative contexts. In campaign finance and citizen petition cases, democracy has trumped the right of donors and signers to keep their identities secret. Numerous tech law commentators chronicle a tension between privacy and innovation. And now Sorrell is billed as a case pitting privacy against the First Amendment.
There is an old tension between privacy and the First Amendment, best crystallized in Eugene Volokh’s effort to characterize privacy protections as the troubling right to stop others from speaking about you. Neil Richards has dissected the flaws in Volokh’s Lochneresque effort to reduce the complex societal dynamics of fair data practices to Hohfeldian trump cards held by individuals and corporations. Societies reasonably conclude that certain types of data shouldn’t influence certain types of decisions all the time. And courts have acquiesced, allowing much “of the vast universe of speech [to] remain untouched (and thus unprotected) by the First Amendment.”Continue reading…