hipaa – Techdirt (original) (raw)

Every Major Pharmacy Chain Is Giving The Government Warrantless Access To Medical Records

from the third-party-doctrine-beats-HIPAA dept

The Fourth Amendment is rarely a match for the Third Party Doctrine. In recent years, things have gotten a wee bit better thanks to a couple of Supreme Court rulings. But the operative principle still overrides: whatever we share (voluntarily or not) with private companies can often be obtained without a warrant.

That’s why bills have been introduced to add Fourth Amendment protections to cell location data gathered by phone apps. That’s why there’s been a constant struggle in courts and in Congress to reconcile the Third Party Doctrine with the Fourth Amendment, given the vast amount of information and data Americans now share with thousands of third parties.

Then there’s the players in the Third Party Doctrine market. There’s the government, which wants as much information as it can obtain without having to subject its actions and motives to judicial scrutiny. And there are the private companies, who figure it’s far more cost effective to just give the government what it wants, rather than challenge government requests for data in court.

The private entities involved here probably have more reason than most to not try to piss the government off. Not only are they still struggling to recover from a widespread retail downturn ignited by a worldwide pandemic, but they’re also paying off large settlements to the government for playing things a bit too fast and loose when it came to handing out opioids to Americans.

As Beth Mole reports for Ars Technica (and following on the heels of the news pharmacy chain Rite Aid is facing a five-year facial recognition tech ban), every major player in the retail pharmacy business has been handing over sensitive medical data to the government without ever demanding to see an actual warrant.

All of the big pharmacy chains in the US hand over sensitive medical records to law enforcement without a warrant—and some will do so without even running the requests by a legal professional, according to a congressional investigation.

[…]

They include the seven largest pharmacy chains in the country: CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation. The lawmakers also spoke with Amazon Pharmacy.

All eight of the pharmacies said they do not require law enforcement to have a warrant prior to sharing private and sensitive medical records, which can include the prescription drugs a person used or uses and their medical conditions. Instead, all the pharmacies hand over such information with nothing more than a subpoena, which can be issued by government agencies and does not require review or approval by a judge.

Three chains (CVS, Kroger, and Rite Aid) all told Congress they don’t even do a legal review of the subpoenas handed to them by government agencies. Instead, they apparently assume that if the government’s name is on it, it must be a valid request. The good news, I suppose, is that the other chains are at least involving their lawyers when it comes to data requests.

HIPAA (Health Insurance Portability and Accountability Act) — the medical record privacy law frequently misunderstood (and mis-acronymed) by laymen, lawyers, and legislators alike — is of no use here. HIPAA only prevents medical information from being released without permission to private parties not specifically authorized to obtain it. Pretty much any request originating from law enforcement agencies is considered to fall under the “if required by law” exception, even if the requests haven’t actually been vetted by pharmacy company lawyers and/or may not be legitimate demands for sensitive medical info.

The “required by law” phrase is important here. Law enforcement agencies have their own legal interpretations of the Third Party Doctrine, but none of that matters much in the case of HIPAA. All it would take to prevent pharmacy chains from handing out this data without a warrant would be the federal Department of Health and Human Services (HHS) taking this out of the Third Party Doctrine’s hands and placing a presumption of privacy on it.

That’s the gist of the letter [PDF] recently sent to HHS Secretary Xavier Becerra by Senator Ron Wyden, Rep. Pramila Jaypal, and Rep. Sara Jacobs. It cites a bit of courtroom and private company precedent to urge this situation along.

We urge HHS to consider further strengthening its HIPAA regulations to more closely align them with Americans’ reasonable expectations of privacy and Constitutional principles. Pharmacies can and should insist on a warrant, and invite law enforcement agencies that insist on demanding patient medical records with solely a subpoena to go to court to enforce that demand. The requirement for a warrant is exactly the approach taken by tech companies to protect customer privacy. In 2010, after just one Federal Court of Appeals held that Americans have a reasonable expectation of privacy in their emails and that the 1986 Congressionally enacted law permitting disclosures of email pursuant to a subpoena was unconstitutional, all of the major free email providers — Google, Yahoo, and Microsoft — started insisting on a warrant before disclosing such data.

Looks pretty simple. All that’s needed is a change of policy, even if there’s no change in law. The problem with this, though, is that the head of the HHS has had plenty of time to change this policy to erect a higher standard for demands for customers’ information. The letter notes the legislators first informed Becerra of this potential issue in July, following the Dobbs decision in June, hoping the HHS would erect more protections to prevent people from being prosecuted for obtaining birth control products.

The following months delivered confirmation of the legislators’ concerns. Now, it’s up to the HHS to move forward. While we wait to see whether a former prosecutor is willing to elevate the privacy of Americans above the warrantless desires of law enforcement, we can at least be somewhat comforted by the fact that some of these companies are going to be a bit more transparent about their cooperation with the government. CVS, Walgreens, and Kroger have all promised to publish periodic reports about government requests for data. Amazon has gone one step further by notifying customers about government demands for their data.

There’s no reason the government shouldn’t need to secure a warrant to obtain this data. It’s protected by federal law against everyone else patients haven’t specifically granted permission to obtain. The government shouldn’t presume the existence of the Third Party Doctrine means customers’ prescription records are an open book. But it does and that needs to change, either through voluntary action or legislative mandate if the government can’t be talked into respecting the privacy of records most Americans likely assume are already covered by federal privacy protections.

Filed Under: 4th amendment, drug records, hipaa, pharmacies, surveillance, third party doctrine

The Pandemic And The Evolution Of Health Care Privacy

from the tradeoffs-are-everywhere dept

When I teach privacy law, I try to make the issues real for the students. It often isn?t that hard ? privacy issues remain in the news almost every day. The evolution of the pandemic has made more of these issues real and is leading to a series of critical questions for the future of health care privacy. These issues are not new, but the focus of the attention on pandemic issues has made the need for discussion and resolution of these issues even more critical.

We are seeing four distinct categories of issues arising from the pandemic.

The differing interests of patients

We have seen over the past several years a variety of health care policy goals where there is a tension between an individual?s interest in privacy and their interests in some other aspect of the operation of the health care system.

For example, in the recent federal debate over ?information blocking,? there was a substantial and visible (and mostly pre-pandemic) discussion about whether the interest of patients in having access to their medical information should take precedence over the protection of those records under the U.S. Health Insurance Portability and Accountability Act Privacy and Security rules. A variety of relevant stakeholders tried to find a ?win-win? in this situation, but the eventual result is that ? because of the limited scope of the HIPAA rules ? there will be situations in which a patient?s interest in receiving access to their medical records will mean that those records, once released, will not be subject to the full protections of the HIPAA Privacy and Security rules.

The primary choice in this situation was to favor a patient?s interest in access to their records over their privacy and security interests (although the regulations tried to balance these the best they could).

A similar issue has played out with the recent Department of Health and Human Services enforcement guidance related to telehealth. As part of its pandemic response, HHS has made clear that it will not be taking enforcement action involving telehealth visits; this means that health care providers interested in providing telehealth services did not need to be concerned about the details of the HIPAA Security Rule in conducting these visits. Whether this enforcement waiver was required is a different question, but the clear intent is to provide support for telehealth visits at a time when telehealth visits are critical to the interests of patients in receiving health care.

Through this health care enforcement waiver, the government selected the benefits to consumers (and the health care system) from enhanced telehealth opportunities over the more specific privacy and security interest of the HIPAA rules.

Balance between privacy interests and health care system interests

HHS also has issued other HIPAA guidance stemming from the pandemic. While the justification for these actions is less clear, the goal is to facilitate the operation of the health care system at a time when the system is stressed, by reducing otherwise applicable HIPAA obligations.

This has led to a waiver of certain HIPAA requirements (including the obligation to provide a privacy notice and an opportunity for a request for restrictions or confidential communication). This was a policy choice, but why this choice actually helped the system ? at a clear detriment to privacy interests ? is less clear.

Similarly, HHS has announced that business associates now can make disclosures of patient information for public health purposes ? increasing the sources of public health disclosures is what the Privacy Rule previously seems to have permitted.

How to address non-HIPAA health data issues (e.g., employee health data)

We also are seeing a focus on health care privacy interests during the pandemic where HIPAA is largely irrelevant. This is not a new issue. I have been writing about this issue of ?non-HIPAA health data? for almost 10 years.

Here, however, the focus has been on health care information of employees and others in connection with access to business locations and business activities. This employee information is not subject to HIPAA (primarily HIPAA for most employers applies only through their health insurance benefits plan), but other laws, such as the Americans with Disabilities Act, clearly apply.

For site visitors, guests, service workers and others, there may be no generally applicable privacy law ? at least in the United States ? regulating how personal health information can be collected and used. This means that when companies in the U.S. think about how they can share specific health information about specific individuals, the current primary health care privacy law is irrelevant.

How to address non-health data relevant to the health care system (e.g., location data for health monitoring)

Last, we also are seeing the evolution of a related health care issue: the increasing recognition in a variety of circumstances that information that isn?t clearly about health does, in fact, matter when operating the health care system.

In the pre-pandemic HIPAA context, there was a regulatory proceeding where HHS was exploring whether to modify the HIPAA rules to permit, for example, the sharing of protected health information with social service organizations ? even though these organizations do not fit cleanly into the HIPAA framework.

The inquiry reflects a recognition that social issues ? food or housing needs, for example ? can play an important role in the overall health of an individual. In the pandemic situation, we are focused now on location data and how it can be used for public health purposes. This data doesn?t ? by itself ? say anything about your health, but it will be used to identify the movements of individuals affected by the coronavirus and identify others for whom there also are health-related risks.

This is both a health care privacy and a civil liberties issue. It is exactly the kind of issue that is addressed throughout the HIPAA rules, where the smooth operation of the health care system was incorporated as a means of modifying otherwise applicable privacy interests.

But this is a different order of magnitude and one in which the full attention of society is focused on these issues in a way that HIPAA seldom catches the public?s attention.

I raise these issues not because there is a clear or obvious answer. These clearly are difficult times, and we must take advantage of the opportunity presented by these pandemic challenges to evaluate the issues, but we must also be careful not to let the emergency circumstances dictate bad choices.

In the national privacy law debate, the role of the health care system has taken a back seat to the larger privacy debate. This is both understandable and problematic. The health care industry has viewed privacy law as relatively settled for many years, but we are increasingly recognizing that this is not really the case.

The HIPAA rules often work well where they apply, but there are both more situations in which they don?t apply, and a broader range of events where the rules may not work well. The pandemic has led to the immediate need to address some of these complications in real time, but we will need to ensure that these issues remain in the public debate and that the increasing complexities of health care privacy can be addressed appropriately in any future U.S. privacy law.

Kirk Nahra is a Partner with WilmerHale in Washington, D.C. where he co-chairs their global Cybersecurity and Privacy Practice.

Filed Under: covid-19, healthcare, hipaa, pandemic, privacy

Thanks To The DEA And Drug War, Your Prescription Records Have Zero Expectation Of Privacy

from the BUT-HER-OXY dept

How private are your medical records? You’d think they’d be pretty damn private, considering Congress specifically passed a law regulating the disclosure of these sensitive records. Some states feel the same way, extending even greater privacy protections to things like prescription records. Not only are medical entities prevented from passing on sensitive info without patients’ consent, local law enforcement agencies aren’t allowed to obtain third-party records like prescription data without a warrant.

Seems pretty locked down, but as Leslie Francis and John Francis point out at the Oxford University Press blog, federal law enforcement agencies have undone both Congressional protections and state protections.

Utah’s requirement for a warrant conflicts with the federal Controlled Substances Act (CSA), which permits the DEA to issue administrative subpoenas for information relating to individuals suspected of violations of the CSA. According to a US Department of Justice report, administrative subpoenas may be issued by the agency without judicial oversight and without the showing of probable cause that would be required for a warrant.

When states provide more protections to residents than the federal government’s willing to grant, it’s often the state laws that lose, especially when controlled substances are involved. Such is the case here, at least so far. The DEA demanded the release of patient info/prescription records without a warrant, something forbidden by Utah law. The state objected to the DEA’s records demand. The DEA responded by flexing its considerable federal muscle.

The DEA countered with the Supremacy Clause: valid federal laws are superior to conflicting state laws.

The court ended up agreeing with the DEA: patient info and prescription records aren’t afforded additional privacy protections, no matter what HIPAA/state laws have to say about the matter. The court’s rationale was that prescription medicine is part of a “closely regulated” industry, which lowers the bar for government access. This lumps pharmacies and hospitals in with pawn shops, gun dealers, and adult filmmakers.

The Francis’ point out this reading of close regulation and the DEA’s Supremacy assertions is incredibly broad. It proposes nearly no limits to what the government can grab without a warrant. While the court discussed the possibility this should be limited to prescriptions containing controlled substances, it drew no precedential conclusions that may have shortened the government’s reach.

And, indeed, there are no court decisions that grant reasonable privacy expectations to records most members of the public feel should be accessed only by them and their healthcare providers. The blog points to the last Supreme Court ruling related to patient privacy — one that’s nearly 40 years old at this point. All the Whalen v. Roe decision did was indicate the Court believed New York state’s statutory privacy protections were enough and that there was no need to drag the Fourth Amendment into this. As we can see from the DEA’s actions and assertions, statutory privacy protections mean nothing, not if the federal government can step in and override protections put in place by state and local governments.

Filed Under: 4th amendment, dea, drug war, hipaa, law enforcement, medical records, prescriptions, privacy, warrant

Court: Okay For Trial To Move Forward Against ESPN For Tweeting JPP's Medical Chart

from the getting-the-finger dept

The Fourth of July is long in our rearview mirrors, but for some folks the holiday haunts them still. Such is the case with NFL football player Jason Pierre-Paul, who quite famously managed to celebrate our nation’s independence by blowing apart a good chunk of his hand a year and a half ago. So too does the holiday likely remain top of mind for ESPN and its reporter, Adam Schefter, who found themselves in a bit of controversy after reporting on Pierre-Paul’s condition and tweeting out a copy of the player’s medical chart, revealing that he had no digits where there previously had been fingers. Pierre-Paul sued Schefter and ESPN for invading his privacy, arguing that he’d suffered great harm as a result and suggesting that, though Schefter had received the medical chart from a source, the publication of such information might make it less likely for other famous persons to seek medical treatment in the future. ESPN, meanwhile, attempted to spike the lawsuit on First Amendment grounds under an anti-SLAPP statute, arguing that journalists have always been free to provide evidence for stories gained from sources.

Well, the court has ruled against ESPN’s attempt to have the suit dismissed, saying the lawsuit will proceed.

New York Giants defensive end Jason Pierre-Paul is suing ESPN and star reporter Adam Schefter over a tweet that revealed an amputated right finger as a result of a July 4 celebration last year. The NFL star asserts he suffered great damage when Schefter showed his four million followers a copy of Pierre-Paul’s medical chart. But despite ESPN’s First Amendment arguments, a judge on Thursday rejected ESPN’s attempt to dismiss, according to a statement from Pierre-Paul’s attorney.

ESPN, represented by the same lawyers that represented Gawker, argued that courts “have consistently recognized that a journalist is entitled to include visual evidence corroborating a report on a matter of public concern.”

ESPN’s lawyers also pointed out that Pierre-Paul is not suggesting that Schefter was prohibited from reporting on the exact details within the chart, which was the actual harming information if any harm actually was done, but that tweeting out the medical chart image itself suddenly was actionable. Why Pierre-Paul chose this attack on ESPN and a journalist rather than whatever source shared the chart with Schefter in the first place is largely left unaddressed, although the depth of the parties’ respective pockets likely has something to do with it.

Regardless, this is a disappointing ruling on many levels. Those seeking medical attention certainly do have an expectation of privacy from those providing the healthcare work and one would think HIPAA violations may be in play here as well, but Pierre-Paul has no such expectation of privacy from a journalist covering him. The proper defendant in this case is obviously whomever provided the chart to Schefter and likely over HIPAA violations. Whatever the implications upon privacy at issue here, it seems quite clear that chilling the reporting of journalists who receive information from sources is not hte proper vector for addressing those issues. Between this and the Gawker case, along with the public comments by one well-known would-be politician, we seem to entering a different era in terms of how the press is viewed and treated in America.

Filed Under: adam schefter, first amendment, hipaa, jason pierre-paul, journalism, medical reports, privacy
Companies: espn

Myriad Genetics Refuses To Accept That People Have A Right To Access Their Own DNA Sequences

from the just-because-it's-your-genome,-don't-think-you-own-it dept

One of the biggest victories on the patent front was when the US Supreme Court finally ruled that naturally-occurring DNA cannot be patented. The company involved in this case, Myriad Genetics, didn’t give up at this point, but tried to claim that despite this ruling, its patents on genetic testing were still valid. Fortunately, the courts disagreed, and struck down those patents too.

However, as we noted at the time, there’s another issue that remains unresolved, which concerns the huge database of DNA that Myriad Genetics has built up over years of sequencing the BRCA1 and BRCA2 genes that have variants linked to cancer. Because of Myriad’s unwillingness to provide that important data to the people whose DNA was sequenced, the American Civil Liberties Union (ACLU) has decided to take action:

> On May 19, 2016, the ACLU filed a complaint pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”) with the U.S. Department of Health & Human Services (“HHS”) on behalf of four patients against Myriad Genetics, a genetic testing laboratory based in Utah. The complaint was filed by patients who have experienced cancer, including breast and bladder cancers, or who are members of families with substantial histories of cancer.

All of the patients received genetic testing from Myriad Genetics in order to determine their hereditary risk for various forms of cancer and to guide treatment decisions. They later asked for all of their genetic information, not just the results, but Myriad refused to provide it. As the ACLU explains:

> The patients want full access to their genetic information because they know that the understanding of genes and their variants is constantly evolving, and they want to be able to proactively monitor their own cancer risk and that of their family members as scientific knowledge and clinical interpretation of genomic information advances. Most importantly, the patients, many of whom have uncommon genetic variants, are concerned that Myriad controls much of the data about BRCA1 and BRCA2 genetic variants in a proprietary database. This impedes the ability of researchers to better understand whether these variants are connected with various types of cancer. The patients want to have the option of sharing their data with the broader research community.

The last point is key. Myriad is sitting on a wealth of information that might well lead to new treatments and even cures for the many cancers involved. Instead, it is asserting its proprietorial right over DNA that comes from other people. That’s particularly egregious since the scientists who first sequenced DNA on a large scale were pioneers in data sharing. As early as 1996, laboratories taking part in the Human Genome Project not only agreed to share their data, but to do so immediately, and with no restrictions. Myriad Genetics’ action is totally at odds with the ethos of sharing that lies at the heart of genomics.

As a blog post on the ACLU site notes, on the eve of the HIPAA complaint being filed, Myriad suddenly agreed to provide the information requested, but only on a “voluntary” basis. That is, it refused to recognize the broader rights of patients to their own genetic information. However, the ACLU believes that the law is straightforward here:

> Patients are guaranteed access to their health information — including their genetic data — under HIPAA. In 2014, the U.S. Department of Health and Human Services amended the HIPAA regulations to make clear that all laboratories, which were previously exempted, are subject to this obligation. And earlier this year, HHS released guidance stating that with respect to genetic testing, patients have a right to access “not only the laboratory test reports but also the underlying information generated as part of the test,” including “the full gene variant information generated by the test, as well as any other information in the designated record set concerning the test.”

Let’s hope this case leads to yet another defeat for Myriad, and establishes once and for all that DNA sequences belong to the people from whom they were obtained. That way they will be free to make data available to researchers for the benefit of everyone, not just for a few companies like Myriad Genetics.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: dna, gene patents, hipaa, patents
Companies: aclu, myriad genetics

Stung By Yelp Reviews, Health Providers Spill Patient Secrets

from the HIPAA-HIPAA dept

Burned by negative reviews, some health providers are casting their patients’ privacy aside and sharing intimate details online as they try to rebut criticism.

In the course of these arguments — which have spilled out publicly on ratings sites like Yelp — doctors, dentists, chiropractors and massage therapists, among others, have divulged details of patients’ diagnoses, treatments and idiosyncrasies.

One Washington state dentist turned the tables on a patient who blamed him for the loss of a molar: “Due to your clenching and grinding habit, this is not the first molar tooth you have lost due to a fractured root,” he wrote. “This tooth is no different.”

In California, a chiropractor pushed back against a mother’s claims that he misdiagnosed her daughter with scoliosis. “You brought your daughter in for the exam in early March 2014,” he wrote. “The exam identified one or more of the signs I mentioned above for scoliosis. I absolutely recommended an x-ray to determine if this condition existed; this x-ray was at no additional cost to you.”

And a California dentist scolded a patient who accused him of misdiagnosing her. “I looked very closely at your radiographs and it was obvious that you have cavities and gum disease that your other dentist has overlooked. … You can live in a world of denial and simply believe what you want to hear from your other dentist or make an educated and informed decision.”

Health professionals are adapting to a harsh reality in which consumers rate them on sites like Yelp, Vitals and RateMDs much as they do restaurants, hotels and spas. The vast majority of reviews are positive. But in trying to respond to negative ones, some providers appear to be violating the Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA. The law forbids them from disclosing any patient health information without permission.

Yelp has given ProPublica unprecedented access to its trove of public reviews — more than 1.7 million in all — allowing us to search them by keyword. Using a tool developed by the Department of Computer Science and Engineering at the NYU Polytechnic School of Engineering, we identified more than 3,500 one-star reviews (the lowest) in which patients mention privacy or HIPAA. In dozens of instances, responses to complaints about medical care turned into disputes over patient privacy.

The patients affected say they’ve been doubly injured — first by poor service or care and then by the disclosure of information they considered private.

The shock of exposure can be effective, prompting patients to back off.

“I posted a negative review” on Yelp, a client of a California dentist wrote in 2013. “After that, she posted a response with details that included my personal dental information. ? I removed my review to protect my medical privacy.”

The consumer complained to the Office for Civil Rights within the U.S. Department of Health and Human Services, which enforces HIPAA. The office warned the dentist about posting personal information in response to Yelp reviews. It is currently investigating a New York dentist for divulging personal information about a patient who complained about her care, according to a letter reviewed by ProPublica.

The office couldn’t say how many complaints it has received in this area because it doesn’t track complaints this way. ProPublica has previously reported about the agency’s historic inability to analyze its complaints and identify repeat HIPAA violators.

Deven McGraw, the office’s deputy director of health information privacy, said health professionals responding to online reviews can speak generally about the way they treat patients but must have permission to discuss individual cases. Just because patients have rated their health provider publicly doesn’t give their health provider permission to rate them in return.

“If the complaint is about poor patient care, they can come back and say, ‘I provide all of my patients with good patient care’ and ‘I’ve been reviewed in other contexts and have good reviews,’ ” McGraw said. But they can’t “take those accusations on individually by the patient.”

McGraw pointed to a 2013 case out of California in which a hospital was fined $275,000 for disclosing information about a patient to the media without permission, allegedly in retaliation for the patient complaining to the media about the hospital.

Yelp’s senior director of litigation, Aaron Schur, said most reviews of doctors and dentists aren’t about the actual health care delivered but rather their office wait, the front office staff, billing procedures or bedside manner. Many health providers are careful and appropriate in responding to online reviews, encouraging patients to contact them offline or apologizing for any perceived slights. Some don’t respond at all.

“There’s certainly ways to respond to reviews that don’t implicate HIPAA,” Schur said.

In 2012, University of Utah Health Care in Salt Lake City was the first hospital system in the country to post patient reviews and comments online. The system, which had to overcome doctors’ resistance to being rated, found positive comments far outnumbered negative ones.

“If you whitewash comments, if you only put those that are highly positive, the public is very savvy and will consider that to be only advertising,” said Thomas Miller, chief medical officer for the University of Utah Hospitals and Clinics.

Unlike Yelp, the University of Utah does not allow comments about a doctor’s medical competency, and it does not allow physicians to respond to comments.

In discussing their battles over online reviews, patients said they’d turned to ratings sites for closure and in the hope that their experiences would help others seeking care. Their providers’ responses, however, left them with a lingering sense of lost trust.

Angela Grijalva brought her then 12-year-old daughter to Maximize Chiropractic in Sacramento, Calif., a couple years ago for an exam. In a one-star review on Yelp, Grijalva alleged that chiropractor Tim Nicholl led her daughter to “believe she had scoliosis and urgently needed x-rays, which could be performed at her next appointment. ? My daughter cried all night and had a tough time concentrating at school.”

But it turned out her daughter did not have scoliosis, Grijalva wrote. She encouraged parents to stay away from the office.

Nicholl replied on Yelp, acknowledging that Grijalva’s daughter was a patient (a disclosure that is not allowed under HIPAA) and discussing the procedures he performed on her and her condition, though he said he could not disclose specifics of the diagnosis “due to privacy and patient confidentiality.”

“The next day you brought your daughter back in for a verbal review of the x-rays and I informed you that the x-rays had identified some issues, but the good news was that your daughter did not have scoliosis, great news!” he recounted. “I proceeded to adjust your daughter and the adjustment went very well, as did the entire appointment; you made no mention of a ‘misdiagnosis’ or any other concern.”

In an interview, Grijalva said Nicholl’s response “violated my daughter and her privacy.”

“I wouldn’t want another parent, another child to go through what my daughter went through: the panic, the stress, the fear,” she added.

Nicholl declined a request for comment. “It just doesn’t seem like this is worth my time,” he said. His practice has mixed reviews on Yelp, but more positive than negative.

A few years ago, Marisa Speed posted a review of North Valley Plastic Surgery in Phoenix after her then?3-year-old son received stitches there for a gash on his chin. “Half-way through the procedure, the doctor seemed flustered with my crying child. …,” she wrote. “At this point the doctor was more upset and he ended up throwing the instruments to the floor. I understand that dealing with kids requires extra effort, but if you don’t like to do it, don’t even welcome them.”

An employee named Chase replied on the business’s behalf: “This patient presented in an agitated and uncontrollable state. Despite our best efforts, this patient was screaming, crying, inconsolable, and a danger to both himself and to our staff. As any parent that has raised a young boy knows, they have the strength to cause harm.”

Speed and her husband complained to the Office for Civil Rights. “You may wish to remove any specific information about current or former patients from your Web-blog,” the Office for Civil Rights wrote in an October 2013 letter to the surgery center.

In an email, a representative of the surgery center declined to comment. “Everyone that was directly involved in the incident no longer works here. The nurse on this case left a year ago, the surgeon in the case retired last month, and the administrator left a few years ago,” he wrote.

Reviews of North Valley Plastic Surgery are mixed on Yelp.

Health providers have tried a host of ways to try to combat negative reviews. Some have sued their patients, attracting a torrent of attention but scoring few, if any, legal successes. Others have begged patients to remove their complaints.

Jeffrey Segal, a one-time critic of review sites, now says doctors need to embrace them. Beginning in 2007, Segal’s company, Medical Justice, crafted contracts that health providers could give to patients asking them to sign over the copyright to any reviews, which allowed providers to demand that negative ones be removed. But after a lawsuit, Medical Justice stopped recommending the contracts in 2011.

Segal said he has come to believe reviews are valuable and that providers should encourage patients who are satisfied to post positive reviews and should respond — carefully — to negative ones.

“For doctors who get bent out of shape to get rid of negative reviews, it’s a denominator problem,” he said. “If they only have three reviews and two are negative, the denominator is the problem. … If you can figure out a way to cultivate reviews from hundreds of patients rather than a few patients, the problem is solved.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter. Reposted from ProPublica via its CC-BY-NC-ND license.

Filed Under: dentists, doctors, hipaa, medical practitioners, patient info, patients, privacy, reviews
Companies: yelp

DEA Impersonating Medical Board Investigators To Gain Access To Personal Health Records

from the the-constant-hassle-of-minimal-paperwork-thwarted-yet-again! dept

Medical records have long been given an increased expectation of privacy, something that dates back to before the passage of HIPAA. (See also: Hippocratic Oath.) Consultations with doctors — and the written records resulting from them — have generally been treated as confidential, seeing as they contain potentially embarrassing/damaging information. Personal health information can be reported to law enforcement for many reasons: suspicion of criminal activity on the health entity’s property, suspicion of criminal activity related to an off-site emergency, reporting a death, patients with stabbing/gunshot wounds, or in the case of a serious/immediate threat. Otherwise, HIPAA’s rules for law enforcement say personal information can only be released under the following conditions:

To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or an administrative request from a law enforcement official (the administrative request must include a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used).

The bar is set pretty low and the DEA has been taking advantage of it. Jon Cassidy of Watchdog.org is reporting that the agency is rooting around in medical records in hopes of finding patients or health care providers who might be abusing drugs.

The Drug Enforcement Administration has been sifting through hundreds of supposedly private medical files, looking for Texas doctors and patients to prosecute without the use of warrants.

What the DEA is using instead is a blend of impersonation and administrative permission slips sporting the agency’s own signature.

Instead, the agents are tricking doctors and nurses into thinking they’re with the Texas Medical Board. When that doesn’t work, they’re sending doctors subpoenas demanding medical records without court approval.

How often is this happening? Apparently it’s so close to “all the time” that the DEA doesn’t even have an approximate guess. This is what a DEA spokesperson told the Daily Caller.

“It’s not like there’s ten of them. There’s probably thousands — I know there are thousands,” Matt Barden, spokesman for the DEA, told the Daily Caller News Foundation about the DEA’s use of administrative subpoenas.

Early last year, a federal court in Oregon ruled the DEA could not access the state’s prescription database without a warrant. Unfortunately, this was due to Oregon’s state laws being more restrictive than federal law. A federal judge in Texas reached the opposite conclusion, finding that the DEA’s use of administrative subpoenas complied with both HIPAA and state law. This decision is now headed for the Fifth Circuit Court of Appeals, where it is hoped a finding similar to the decision in Oregon will be the end result. But judging from the laws in place, that outcome is doubtful.

While the DEA’s use of administrative subpoenas appears to comply with HIPAA’s restrictions, its repeated attempts (many of them successful) to access medical records with no paperwork whatsoever seem less likely to stand up to legal scrutiny.

The Dallas-area doctors bringing the lawsuit against the DEA have uncovered plenty of DEA subterfuge. In their case, three DEA agents showed up at their offices with a state medical board investigator. Only the investigator identified herself. The agents remained silent, allowing the nurse to believe they, too, were with the state medical board.

The state medical board may have every right to view medical records without any accompanying paperwork, but that’s because this information falls directly under its purview. The DEA, however, is looking to build criminal cases. This brings with it additional Fourth Amendment considerations and, at the very least, should bind it to the minimal restrictions of HIPAA. Apparently, issuing its own permission slips is still too much work and the delivered paperwork might accidentally restrict it to only certain medical records pertaining to certain people. By impersonating medical board members, agents have unrestricted access to whatever they ask for.

As Watchdog’s Jon Cassidy points out, patients who’d like their privacy respected may want to seek their prescriptions and refills… elsewhere.

The DEA’s practice of avoiding warrant requirements has produced this absurdity: If you have a prescription for Adderall or OxyContin, you might be safer getting your drugs on the street than through your own doctor.

Street dealers, after all, don’t keep patient records, and they’re afforded more constitutional protections than medical practitioners. That is, cops still need a warrant to search them.

While the latter isn’t strictly true in all cases, it’s true enough to show how limited the protections of HIPAA actually are. The more disturbing aspect is that the DEA isn’t even satisfied with near-instant access to a wealth of medical records provided by administrative subpoenas. It apparently only uses the correct paperwork as Plan B, preferring to mislead medical practitioners by allowing them to believe its agents are investigators working for the state medical board.

Filed Under: 4th amendment, dea, health records, hipaa, impersonation, investigations, medical boards, privacy, warrant

DOJ Misleads Court About Medical And Financial Records In Appeals Over NSA Surveillance

from the because-that's-what-the-DOJ-does dept

Earlier this week, the Ninth Circuit heard oral arguments in a challenge to the NSA’s phone metadata program. While watching, I noticed some quite misleading legal claims by the government’s counsel. I then reviewed last month’s oral arguments in the D.C. Circuit, and I spotted a similar assertion.

In both cases, the government attorney waved away constitutional concerns about medical and financial records. Congress, he suggested, has already stepped in to protect those files.

With respect to ordinary law enforcement investigations, that’s only slightly true. And with respect to national security investigations, that’s really not right.

Medical Records

During Smith, the Ninth Circuit case, there was an extended line of questioning about various sorts of business records. Judge Hawkins kicked it off:

Suppose the National Security Agency wanted access to all utility records. Nationwide. Would that rationale apply?

Subsequent discussion touched on hotel and financial records. Then Judge McKeown asked:

What about medical records?

The Department of Justice attorney responded:

Well medical records, Judge McKeown I’m so glad you asked that because this is really an important point, medical records would be subject to HIPAA, among other protections.

A similar question in Klayman, the D.C. Circuit case, drew a similar response.

HIPAA, in your example Judge Brown, would govern the restrictions, would impose restrictions on the proper use of medical information.

Later in the Smith argument, counsel reemphasized the importance of HIPAA, including:

But I think the significance of HIPAA can’t be discounted.

By way of background, the Health Insurance Portability and Accountability Act is the primary federal law that addresses health records. Under HIPAA, the Department of Health and Human Services is empowered to promulgate detailed privacy rules.

Here’s the catch: the HIPAA privacy rules have special exceptions for law enforcement and national security investigations.

The law enforcement provision is very broad. It covers all the usual police procedures, including subpoenas. Those don’t require a judge’s advance permission, and they also require much less basis than probable cause.

The national security exception is, of course, even more pertinent to the Smith and Klayman cases. And it’s even broader.

A covered entity may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g., Executive Order 12333).

In non-legalese: HIPAA just doesn’t apply to the NSA.1 And yet, in two separate NSA appeals, the government has emphasized HIPAA.2

Financial Records

In the Smith argument, government counsel twice noted that Congress has enacted privacy protections for financial records.

Following Miller, Congress enacted the financial privacy protections by statute.

In response to Miller, that Congress enacted a bank records protection of privacy . . .

Similarly, in Klayman:

For example, following the Miller case, Congress passed a statute governing the secrecy of bank records.

As background, United States v. Miller held that routine financial records are not protected by the Fourth Amendment. Two years later, Congress passed the Right to Financial Privacy Act? which largely codified Miller. Law enforcement agencies can still access financial records with just a subpoena.3

What’s more, RFPA includes a special set of national security procedures. Federal grand jury subpoenas and warrants aren’t covered by RFPA, so long as the investigating agency self-certifies ?there may result a danger to the national security of the United States.?

RFPA also includes a National Security Letter provision. In counter-intelligence and counter-terrorism investigations, the FBI (and, by proxy, the NSA) doesn’t even need a grand jury subpoena. It can demand financial records with a mere self-certification.

So, once again: in a national security appeal, why emphasize privacy protections that don’t extend to national security investigations?

Section 215 of the USA PATRIOT Act

The precise statutory provision at issue in Smith and Klayman is Section 215 of the USA PATRIOT Act. It allows FBI (and NSA) access to any business records when conducting a counter-intelligence or counter-terrorism investigation.4 A FISA judge’s approval is required, though the standard for issuance is very low.

Section 215 covers medical records. A part of the statute, in fact, expressly addresses them.

Section 215 also covers financial records. In a 2010 opinion, the FISA Court held as much. And, in fact, the CIA operates a bulk financial surveillance program under Section 215.

In sum: not only are national security investigations generally outside HIPAA and RFPA, but the very same authority at issue in Smith and Klayman allows access to medical and financial records.

Concluding Thoughts

Reasonable minds can disagree on whether the government’s representations in Smith and Klayman were literally false. At minimum, they were highly misleading.

United States privacy law is notoriously convoluted. But this much is certain: medical and financial records are, by statute and rule, readily available to the intelligence community. The executive branch shouldn’t even hint otherwise.

Thanks to the colleagues who provided feedback on the legal analysis in this post. All views are solely my own.

1. In most instances of domestic surveillance, NSA requests are passed through the FBI. Since the National Security Act designates the FBI as a member of the intelligence community, its national security investigations are also unregulated by HIPAA.

2. In a charitable interpretation, the attorney misspoke while attempting to note that Congress can craft more nuanced privacy rules than the courts, and that Congress can provide privacy protections beyond the Fourth Amendment. Those points are undoubtedly true, though undoubtedly known to the judges.

3. A plain reading of RFPA suggests some privacy protection: targets receive advance notice of a subpoena and have an opportunity to contest the subpoena. In everyday practice, however, RFPA’s delayed notice provisions have swallowed the rule. Law enforcement agencies routinely obtain court orders that both eliminate the advance notice requirement and temporarily gag financial institutions from disclosure.

4. Where U.S. persons aren’t involved, any foreign intelligence purpose is sufficient.

Reposted from Web Policy

Filed Under: 4th amendment, bank records, doj, hipaa, klayman, nsa, patriot act, privacy, rfpa, section 215, smith, surveillance

District Court Says DEA's Warrantless Access Of Oregon's Prescription Database Is Unconstitutional

from the the-War-on-Drugs-has-no-time-for-your-outdated-'rights' dept

Early last year, the news surfaced that the DEA was bypassing Oregon state law by using administrative subpoenas to get around the state’s warrant requirement for drug prescription database access. “Administrative subpoenas” are yet another government tool that allows agencies to seek information that would normally require a warrant, but without the hassle of running it past a judge or even showing probable cause.

The DEA probably didn’t expect to encounter much resistance to its subpoenas. After all, drugs are bad and the DEA is fighting the good fight. But the state of Oregon wasn’t impressed with the DEA’s warrantless tactics and filed suit with the assistance of the ACLU. The ACLU is now reporting that a federal judge has ruled in its (and Oregon’s favor) and the DEA (along with other law enforcement entities) will no longer be able to skirt the state’s warrant requirement.

For the first time, a federal judge has ruled that patients have a reasonable expectation of privacy in their drug prescription records, and that law enforcement must obtain a warrant in order to search such information…

“This is a victory for privacy and for the constitutional rights of anyone who ever gets drug prescriptions,” said ACLU Staff Attorney Nathan Freed Wessler, who argued the case last month. “The ruling recognizes that confidential medical records are entitled to the full protection of the Fourth Amendment. The court rightly rejected the federal government’s extreme argument that patients give up their privacy rights by receiving medical treatment from doctors and pharmacists.”

As the ruling points out, citizens have long associated privacy with medical treatment, something that has gone hand-in-hand dating back to the 4th century B.C.E. and the origin of the Hippocratic Oath. It also points out the obvious: federal law itself (HIPAA) contains built-in privacy protections. (Hence the form you have to sign, the privacy info sheet you’re handed on every visit, and signs everywhere telling you to stand behind them for the privacy of the patient in front of you.)

The judge’s decision also notes that stripping away this expectation of privacy will have a chilling effect on those seeking medical care, something that could have very adverse effects on the health of people who might avoid seeking treatment because they fear their medical records will be exposed.

As the ACLU notes in its press release, it’s not exactly happy the state of Oregon has chosen to create a centralized database of drug prescriptions, but, if it is going to do so, it has at least chosen to take the privacy of those contained in the database very seriously.

This decision strikes a small blow against the government’s routine abuse of “exceptions” to warrant requirements as well as against its even more routine abuse of the “third party doctrine,” which the DEA actually used to claim that talking to a doctor is no different than dialing a phone. The DEA knows there’s a huge difference between these two “third parties” but applying that knowledge means showing probable cause and getting a judge to sign off on the warrant, two aspects it apparently feels only hampers its War on Drugs.

Filed Under: aclu, dea, hipaa, oregon, privacy, warrantless access

Police Use HIPAA To Justify Charging Citizen For Recording Them

from the well-that's-just-bullshit dept

At some point, some national group is going to have to get the memo out to local law enforcement agencies within the United States that it is perfectly legal to record them while they operate in public. We've seen case after case after case of citizens having their property taken away or being charged with trumped up crimes all because they pointed a recording device at the police. Hell, some states have tried to enact unconstitutional laws to back up their ill-conceived and unwarranted positions.

All that being said, you just have to hand it to a police force up in Minnesota for the sheer cajones it took to do what they did. It started as other stories have, with a citizen, Andrew Henderson, recording police as they frisked a bloodied man before he was loaded into an ambulance and then having an officer take his recording device away.

The deputy, Jacqueline Muellner, approached him and snatched the camera from his hand, Henderson said.

“We’ll just take this for evidence,” Muellner said. Their voices were recorded on Henderson’s cellphone as they spoke, and Henderson provided a copy of the audio file to the Pioneer Press. “If I end up on YouTube, I’m gonna be upset.”

We’ve seen this kind of thing before, of course. Police use the excuse of evidence collecting to take away recording devices, which is really the only thing they’re interested in. It’s wrong. We get that. Usually some kind of internal review of the incident is triggered, asses are officially covered, and then the recording device is returned, sometimes after having been wiped. It’s a bad enough story as it stands.

And that scenario is almost exactly what happened here, as the spokesman for Ramsey County acknowledged in a quote that citizens have the right to record police. But everyday abusive practices aren’t enough for Ramsey County officers, apparently. The only thing that will satisfy them appears to be a new level of bullshit hitherto unseen, because a week later, when Henderson went to retrieve the camera, the police charged him with disorderly conduct and obstruction, with the citation noting that this was due to a “Data privacy HIPAA violation.” In case you aren’t clear on this, in the blogging industry, we refer to this as a massive amount of bullshit (piles and piles of it).

The allegation that his recording of the incident violated HIPAA, or the federal Health Insurance Portability and Accountability Act, is nonsense, said Jennifer Granick, a specialist on privacy issues at Stanford University Law School. The rule deals with how health care providers handle consumers’ health information.

“There’s nothing in HIPAA that prevents someone who’s not subject to HIPAA from taking photographs on the public streets,” Granick said. “HIPAA has absolutely nothing to say about that.”

The kicker? The deputy who had taken the camera for “evidence” purposes erased all the footage. The exchange in which she took that camera was audio recorded by Henderson separately on his cell phone, a recording which he still has. I would suggest that if the police do not immediately rescind their trumped up charges against him, Henderson should insist that we take the deputy at her word, assume she collected the camera and its footage as evidence, and then we can all begin discussing how much prison time the deputy should be doing for destruction of evidence and obstruction of justice.

That’s no more crazy than anything the police have done in this story.

Filed Under: hipaa, overreaction, police, ramsey county, recording