If you have visited a doctor's office, hospital or pharmacy over the past few months, you may have received a notice telling you that your medical records may be turned over to the government for law enforcement or intelligence purposes.[i] More often than not, these notices contain ominous language like:
"National Security and Intelligence Activities Or Protective Services. We may disclose your health information to authorized federal officials who are conducting national security and intelligence activities or providing protective services to the President or other important officials."[ii]
These notices have heightened the growing public concern over the privacy of medical records and made it plain that the recent "Medical Privacy" rules - enacted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) - offer patients far less protection than the Federal Government promises. Many people have started to ask questions about these practices, including:
This document is designed to answer some of these questions regarding these notices, as well as provide background information about the relevant legal standards.
Law enforcement disclosure powers
Q: Can the police get my medical information without a warrant?
A: Yes. The HIPAA rules provide a wide variety of circumstances under which medical information can be disclosed for law enforcement-related purposes without explicitly requiring a warrant.[iii] These circumstances include (1) law enforcement requests for information to identify or locate a suspect, fugitive, witness, or missing person (2) instances where there has been a crime committed on the premises of the covered entity, and (3) in a medical emergency in connection with a crime.[iv]
In other words, law enforcement is entitled to your records simply by asserting that you are a suspect or the victim of a crime.
The regulations also contain 2 separate subsections that specifically permit the release of private medical information for "National security and intelligence activities" as well as "Protective services for the President and others." One of these subsections states that a "covered entity may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act."[v] The other subsection allows analogous disclosures in order to protect the President, former Presidents, Presidents-elect, foreign dignitaries and other VIPs.[vi]
Q: Can the government get access to my medical files through the USA Patriot Act?
A: Yes. Section 215 of the Patriot Act allows the FBI Director or his designee to get a court order under the Foreign Intelligence Surveillance Act "requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution."[vii] This power appears to apply to medical records.
Q: Is this power to access my medical information limited to my health care provider?
A: No. The HIPAA disclosure regulations also apply to many other organizations, including health plans, pharmacies, health clearinghouses, medical research facilities and various medical associations. And the Patriot Act's "tangible items" power is so broad that it covers virtually anyone and any organization-not just medically oriented entities or medical professionals.
Q: Is it Constitutional for the government to get my medical information without a warrant?
A: The ACLU believes that this easy, warrantless access to our medical information violates the U.S. Constitution, especially the Fourth Amendment, which generally bars the government from engaging in unreasonable searches and seizures.[viii] However, because the Patriot Act and the HIPAA regulations have only recently gone into effect, their constitutionality remains largely untested, although at least one legal challenge to the HIPAA rules is underway, and more challenges are likely.
Notice requirements
Q: Do health providers and other medical entities have to give me specific notice when they turn over my medical files to the government?
A: No. Neither HIPAA nor the Patriot Act require that notice be given to affected individuals, either before their files are turned over (giving them a chance to challenge the privacy infringement) or after the fact. In fact, the Patriot Act actually bans health providers from telling "any other person (other than those persons necessary to produce the tangible things under this section) that the Federal Bureau of Investigation has sought or obtained tangible things."[ix]
Q: Does HIPPA, at least, give me a right to know whether my doctor or hospital can give my medical records to the police without a warrant?
A: Only in the most general sense. For the most part, the HIPAA regulations require covered entities to tell their customers about ways their medical files could be disclosed without their consent, including national security & intelligence activities and Presidential security reasons.[x] Under the HIPAA rules, hospitals and other covered entities "must provide a notice that is written in plain language" and contains a "description of. purposes for which" they are "permitted. to use or disclose protected health information without the individual's written authorization."[xi]
Q: Do these notices have to be very specific?
A: Probably Not. The HIPAA rules merely require "adequate" notice of the government's power to get medical information for various law enforcement purposes, and lay down only rough ground rules regarding how entities should inform their customers about such disclosures. For example, the rules do not provide specific language to describe such disclosures, despite stipulating the use of exact words for other portions of these notices.[xii]
Moreover, the regulations are unclear on whether these notices must list disclosures that are allowed under other laws (such as the USA Patriot Act). The HIPAA rules provide that when describing the purposes under which health information can be disclosed without the patient's consent, "the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law."[xiii] However, there is also language suggesting that this requirement to describe "other applicable law" may only apply to legal standards that are more protective of privacy than the HIPAA rules. This is because the HIPAA rules were meant to be a floor for privacy protection, not a ceiling; thus, the regulations do not preempt state medical privacy laws that are tougher than their Federal counterparts.[xiv]
Q: How will I receive these notices?
A: The rules mention several ways that covered entities may provide these notices, including by giving a paper copy to the individual, making the notice available on the organization's Web site, sending it by email, or, if the "covered health care provider" maintains a hospital or other "physical service delivery site," posting the notice "in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered health care provider to be able to read the notice."[xv]
Q: When will I receive these notices?
A: The timeline for delivering these notices varies. Health plans must provide notice "no later than the compliance date for the health plan, to individuals then covered by the plan," and to new enrollees thereafter, as well as within 60 days of a "material revision to the notice." Furthermore, covered entities must "promptly revise and distribute its notice whenever it makes material changes to any of its privacy policies."[xvi]
Q: Can health providers and other medical entities at least provide general notices that they might have to turn over their customers' files to the government under the Patriot Act?
A: Probably. While the Patriot Act prohibits medical providers and others from disclosing that the government has demanded information, it apparently does not ban generalized notices (i.e. notices that do not mention whether a given entity has been served with a tangible items order) to people that the government has this power. Indeed, the HIPAA rules requiring notice of access to medical records for foreign intelligence gathering would seem to cover these situations, and are not explicitly contradicted by the Patriot Act.[xvii]
Note that this approach has already been used by other entities who may be served with Patriot Act tangible items orders, especially libraries. Questions about this policy should be directed to Attorney General John Ashcroft, Department of Justice, Washington, DC 20530.[xviii]
Q: What can I do to protect my rights as a consumer of medical services?
A: You should call on the Congress and your state legislature to revise their medical privacy laws to provide that sensitive medical information can only be turned over to law enforcement and intelligence agencies, when they have probably cause to believe that a crime has been committed and a warrant issued by a neutral judge.
[i] Many of the thousands of health care providers around the US have their own privacy notices. A typical example is TERENCE CARDINAL COOKE HEALTH CARE CENTER, NOTICE OF PRIVACY PRACTICES 8 (2003) ("Law Enforcement. We may disclose your health information to law enforcement officials for the following reasons:
[iii] 45 C.F.R. § 164.512(f)(2002).
[viii] U.S. CONST., amend. IV.
[xii] See, e.g. 45 C.F.R. § 164.520(b)(1)(i)("The notice must contain the following statement as a header or otherwise prominently displayed: 'THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.' ").
[xiii] 45 C.F.R. § 164.520(b)(1)(ii)(D)(emphasis added).
[xiv] See, e.g. 45 C.F.R. § 164.520(b)(1)(ii)(C)("If a use or disclosure for any purpose described in paragraphs (b)(1)(ii)(A) or (B) of this section is prohibited or materially limited by other applicable law, the description of such use of disclosure must reflect the more stringent law.").
[xv] See 45 C.F.R. § 164.520(c).
[xvi] See OFFICE OF CIVIL RIGHTS, U.S. DEP'T OF HEALTH & HUMAN SERVICES, NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION 2 (2003), available at http://www.hhs.gov/ocr/hipaa/guidelines/notice.pdf, citing 45 C.F.R. §§ 164.520(b)(3), (c)(1)(i)(C) & (c)(2)(iv).
[xvii] 50 U.S.C. § 501(a)(1); 45 C.F.R. 164.512(k)(2).