Security and Privacy After September 11: The Health

advertisement
106746366
3/3/2016 1:49 AM
Security and Privacy After September 11: The
Health Care Example
Peter P. Swire† & Lauren B. Steinfeld††
In September 1999, the Wall Street Journal published a
poll that asked Americans what they feared most in the upcoming century.1 The poll included a number of frightening concerns, such as international terrorism, global warming, and
world war. Ranking first among the dozen serious issues, and
listed as the first or second choice of twenty-nine percent of respondents, was “erosion of personal privacy.”2 No other issue
scored above twenty-three percent.3
Only a year later, in the wake of the September 11 attacks
on the World Trade Center and the Pentagon, security issues
clearly became far more important in the public mind. Although no poll has re-asked the precise question posed by the
Wall Street Journal, a range of polls in the months after the attacks showed significantly greater concern about public safety
and noticeably lower salience for privacy issues.4
† Professor, Moritz College of Law of the Ohio State University. From
March, 1999 to January, 2001 Professor Swire served as the Clinton Administration’s Chief Counselor for Privacy, in the U.S. Office of Management and
Budget. In that position, Professor Swire was White House coordinator for the
proposed and final medical privacy rule and also chaired a White House Working Group on how to update wiretap and surveillance laws for the Internet
age. He thanks Larry Glasser and Andrew Stewart for research assistance on
this article. Web: http://www.osu.edu/units/law/swire.htm.
†† Chief Privacy Officer, University of Pennsylvania and Consultant,
Morrison & Foerster LLP. From June, 1999 to January, 2001 Ms. Steinfeld
served as the Associate Chief Counselor for Privacy, in the U.S. Office of Management and Budget. In that position, she headed a number of working
groups for the medical privacy rule and worked extensively as well on numerous other privacy issues.
1. Christy Harvey, American Opinion (A Special Report): Optimism
Outduels Pessimism, WALL ST. J., September 16, 1999, at A10.
2. Id.
3. Id.
4. See generally Electronic Privacy Information Center, Public Opinion
101
106746366
102
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
As one sign of the changed times, the Bush Administration
proposed new legislation, ultimately named the USA-PATRIOT
Act,5 less than a week after the attacks.6 In the area of wiretaps and electronic surveillance, the proposal contained a number of provisions that had been previously rejected by Congress
as too pro-surveillance.7 It included other new surveillance
powers that had not ever been subject to any hearing or debate
in Congress.8
Just the previous summer, the Clinton Administration had
proposed updating the same laws in ways that also updated
law enforcement authorities while being more protective of privacy.9 The House Judiciary Committee, with an overwhelming
bipartisan majority, had amended the bill substantially further
toward the privacy side.10 Now, following the attacks, the preon Privacy, at http://www.epic.org/privacy/survey/ (last updated Mar. 26, 2002)
(collecting polling data on privacy issues).
5. Uniting and Strengthening America by Providing Appropriate Tools
Required to Interpret and Obstruct Terrorism Act of 2001 (USA-PATRIOT
Act), Pub. L. No. 107-56, 115 Stat. 272 (2001).
6. Bush Administration officials discussed proposals within a few days of
the September 11 attacks, and the draft legislation was formally sent to Congress by Attorney General John Ashcroft by September 17. Bush Seeks Enhanced Tools to Fight Terrorism, CINCINNATI POST, Sept. 17, 2001, at 6A;
Bush Seeks to Expand Legal Arsenal Against Terrorism, WALL ST. J., Sept. 18,
2001, at A24; Congress May Loosen Bugging Restrictions, ST. LOUIS POSTDISPATCH, Sept. 18, 2001, AT A8; Manhunt for Accomplices Widens; Ashcroft
Seeks Greater Police Powers, GANNETT NEWS SERV., Sept. 17, 2001, available
at 2001 WL 5112790.
7. Examples include broader powers to conduct roving wiretaps, expansion of the use of foreign intelligence surveillance wiretaps, and easier access
by law enforcement to voice mail messages. See infra text accompanying notes
27-32 (discussing new powers under the USA-PATRIOT Act).
8. For example, the Act allows law enforcement to monitor telephone and
e-mail communications on an ongoing basis to catch suspected computer hackers. See § 217, 115. Stat. at 290.
9. See Press Release, The White House, Assuring Security and Trust in
Cyberspace, (July 17, 2000) (announcing legislation proposed by Chief of Staff
John D. Podesta in remarks at the National Press Club) available at
http://www.privacy2000.org/archives/ (last visited Apr. 5, 2002). For the text
of Podesta’s remarks, see Press Release, The White House, Remarks by the
President’s Chief of Staff John D. Podesta on Electronic Privacy to National
Press Club, (July 18, 2000), available at http://www.privacy2000.org/archives/.
10. Press Release, The White House, Press Briefing by Chief of Staff John
Podesta to Internet Press Organizations (Oct. 2, 2000) (noting a bill that improves privacy protection just passed the House Judiciary Committee, but expressing hope that the Senate would strengthen the privacy protections even
further).
106746366
3/3/2016 1:49 AM
2002]HEALTH CARE PRIVACY AFTER SEPTEMBER 11 103
vious legislative momentum toward greater privacy protections
suddenly shifted to greater government surveillance powers
than anyone would have seriously proposed a year earlier. The
USA-PATRIOT Act passed on October 25, 2001.11 Critics of the
Act were able to make few amendments during its rushed consideration, although some of the most worrisome surveillance
provisions will sunset in 2004.12
This legislative about-face in the area of surveillance law
raises a linked series of questions that we address in this Article. First, we explore the relationship between protecting privacy, an especially hot issue before September 11, and protecting security, an especially hot issue since then. We do this by
exploring the situations in which the two goals are antagonistic, what we call “privacy vs. security,” and other situations in
which the two goals are complementary, what we call “privacy
and security.”
A next issue to consider is the extent to which the shifting
public sentiment about the relative importance of security and
privacy should lead us to reexamine privacy initiatives put into
place before September 11. The most far-reaching of these is
the medical privacy regulation issued in 2000 under the Health
Insurance Portability and Accountability Act of 1996
(“HIPAA”), and scheduled for compliance by health care providers, insurers, and others by April 2003.13 In the wake of the
September 11 attacks, for instance, we might wonder how well
the HIPAA privacy rule allows for reporting to law enforcement
officials about terrorist or other security threats. In the wake
of the anthrax incidents from the fall of 2001, we might similarly wonder how well the public health reporting rules would
work during a period of heightened security concern.
11. The USA-PATRIOT Act was passed by Congress on October 25, 2001
and signed by President Bush two days later. Ann McFeatters, Bush Signs
Anti-Terror Bill, Says Tough Law Will Preserve Constitutional Rights,
PITTSBURG POST-GAZETTE, Oct. 27, 2001, at A6.
12. For analyses of the USA-PATRIOT Act, see Peter P. Swire, If Surveillance Expands, Safeguard Civil Liberties, ATLANTA J. CONST., Oct. 21, 2001, at
D2; Peter P. Swire, Administration Wiretap Proposal Hits the Right Issues But
Goes
Too
Far,
Oct.
3,
2001,
Brookings
Institution,
http://
www.brookings.edu/dybdocroot/views/articles/fellows/2001_swire.htm (Oct. 3,
2001).
13. 45 C.F.R. § 164.534 (2001). The deadline for compliance with the rule
is now April 23, 2003. See Office for Civil Rights, National Standards to Protect the Privacy of Personal Health Information, at www.hhs.gov/ocr/hipaa
(date revised Mar. 27, 2002).
106746366
104
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
Fortunately, a careful inspection of the medical privacy
rule shows that extensive public health and public safety protections were built into the final rule, even though it was drafted before September 11.14 Indeed, the scope of these protections is not surprising, in light of the extensive participation of
both public health and public safety officials in the drafting of
the regulation. In light of these existing protections, considerable skepticism is appropriate when examining new proposals
to alter public health or public safety provisions in the HIPAA
privacy rule. There should be concrete showings of particular
need, not broad assertions that “everything is different after
September 11.”
This inspection of the medical privacy rule is distinctly
heartening, as is the conclusion in this Article that implementing security can provide a useful opportunity to implement privacy. The statutory call for privacy protection in HIPAA was a
result of an understanding in Congress that the shift to electronic medical records required that security and privacy be
built in at the same time, as part of a unified upgrading of medical information systems. To an extent not often enough realized to date, this upgrading of systems means that we more often face a situation of security and privacy, working together,
than we might otherwise have suspected.
I. “SECURITY VS. PRIVACY” OR “SECURITY AND
PRIVACY”
In recent years, there has been a great deal of public debate on what measures to take to protect individual “privacy.”15
The term “privacy” is quite general and has been given a plethora of definitions.16 For our purposes, we define “privacy” as
providing individuals some level of information and control regarding the uses and disclosures of their personal information.
In recent years, and even more since September 11, there
has been a similarly intense debate about how to protect “security.”17 This term is also quite general and covers broad sub-
14. See discussion infra Part III.
15. For a discussion of the privacy debate of the late 1990s, see Peter P.
Swire, The Surprising Virtues of the New Financial Privacy Law, 86 MINN. L.
REV. _______ (2002).
16. See RICHARD C. TURKINGTON, ET. AL, PRIVACY: CASES AND MATERIALS
60-62 (1992) (providing over 12 different definitions).
17. See, e.g., Testimony Before the House Committee on the Judiciary
106746366
3/3/2016 1:49 AM
2002]HEALTH CARE PRIVACY AFTER SEPTEMBER 11 105
categories ranging from cybersecurity to airport security to national security. The primary focus of this article is information
security—which we simplify to mean the prevention of unauthorized access, use and disclosure of information.
In the wake of September 11, the greater focus on information security manifests itself in a variety of ways. First,
there is less tolerance for hackers or others who gain unauthorized access to information.18 Hackers less and less seem like
playful young experimenters who are learning computer skills
to power the New Economy.19 Instead, anyone entering a Pentagon or other system more and more seems like a computer
criminal deserving of societal sanction. Since the attacks,
many of us have a general sense of vulnerability and an accompanying uneasiness about the unauthorized use of virtually anything.20 Second, there is broader concern about cybersecurity
and the need to protect critical infrastructures—the telecommunications system, electric power system, banking system,
and so on.21 Many measures to protect critical infrastructures
were underway before September 11.22 We are now on greater
alert. Third, the importance of having effective computer
backups has become more evident. The attacks on the World
Trade Center caused great damage to Verizon’s telephone
(Sept. 24, 2001), at http://www.usdoj.gov/ag/testimony/2001/agcrisisremarks9
_24.htm.
18. See, e.g., Tiffany Kary, Government Renews Cybercrime Push, CNET,
at http://news.com.com/2100-1001-836486.html (Feb. 13, 2002) (discussing the
Department of Justice’s interest in stronger anti-hacking statutes because of
the harm it causes).
19. See, e.g., You Can Get in Real Trouble for Hacking!, at
http://www.usdoj.gov/kidspage/do-dont/reckless.htm (last updated Feb. 4,
1999) (warning children that hacking is not harmless fun, but rather a serious
problem that can endanger the public).
20. A ZDNet poll found that thirty-six percent of respondents classify the
cyberterrorism problem as “[e]xtremely serious; it scares the heck out of me.”
Another fifty percent feel it is “[n]ot bad yet, but it’s getting worse.” ZDNet,
How Serious a Problem is Cyber Terrorism?, at http://cgi.zdnet.com/zdpoll/
question.html?pollid=12047&action=a (last visited Mar. 29, 2002).
21. For example, Richard Clarke, Special Adviser to the President for Cyberspace Security, has warned that unless cybersecurity is made a priority, we
are at risk “of a “digital Pearl Harbor.” 147 CONG. REC. H8331 (daily ed. Nov.
16, 2001) (statement of Rep. Baird).
22. See Critical Infrastructure Insurance Office, Defending America’s Cyberspace: National Plan for Information Systems Protection, Version 1.0: An
Invitation to a Dialogue (2000), http://www.ciao.gov/resource/np1final.pdf (last
visited Apr. 14, 2002).
106746366
106
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
switching system and utter destruction to numerous firms’ onsite information systems.23 Fortunately, many of the sophisticated enterprises located at the Center had effective backup
systems offsite, enabling continued processing of banks payments and general resumption of access to databases often
within hours or days.24 It seems that many companies had created effective backups during the lead up to Y2K, but the attacks reminded business and government leaders of the need to
have such backups in the future.25
With this greater attention to security, there is a general
sense that privacy has become a less important issue. We
sometimes see “security vs. privacy,” where the two are antagonistic. Notably, greater security can often be accomplished
when security forces have greater information—raising privacy
risks. That is, security sometimes means greater surveillance,
information gathering, and information sharing. There can be
greater security when airport personnel search you and your
bags, when we know the locations of suspected terrorists, when
different law enforcement agencies share information on
threats, and so on. Security interests can be advanced when
law enforcement is able to monitor the online movements of
hackers, when hospitals report cases of anthrax infection, when
ambulance drivers report possible terrorists. The list goes on.
But the heart of it is that greater information flows can promote security by getting information to the proper decisionmakers.26 As these information flows increase, privacy de23. As a result of the World Trade Center attacks, a Verizon switching
hub was virtually destroyed, and approximately 300,000 voice lines and 2.5
million data circuits were damaged. Three months after the attacks, about
5,700 lines remained out of service. Dennis K. Berman, Companies Seek Two
Separate Phone Systems-Just In Case, WALL ST. J, Dec. 20, 2001, at B1. Another source reported 200,000 telephone lines and 3.5 million data circuits affected. Phone Service Spotty Near Ground Zero, Critics Say, TIMES UNION,
Dec. 11, 2001, at B2. The “patchwork” voice messaging system that Verizon
set up after September 11 overloaded and collapsed in early December, resulting in the loss of thousands of messages. Paul Tharp, Phone Mail Disappears
at Verizon, N.Y. POST, Dec. 7, 2001, at 47.
24. Justin Gillis, Backup Systems Passed Trying Test; Despite Scale of Destruction, Wall St. Data Largely Saved, WASH. POST, Sept. 27, 2001, at E1.
25. See id. (noting there were “no documented case[s] of a bank-account
holder or brokerage client losing assets in the disaster.”).
26. One of the co-authors is engaged in ongoing research into the question
of when greater disclosure either helps or harms computer security. For an
early version of the research, see Peter P. Swire, What Should be Hidden and
Open in Computer Security: Lessons from Deception, the Art of War, Law, and
106746366
3/3/2016 1:49 AM
2002]HEALTH CARE PRIVACY AFTER SEPTEMBER 11 107
creases.
The surveillance provisions of the USA-PATRIOT Act, in
our view, generally illustrate “security vs. privacy.” To take only a few examples, the Act:
•Increases the scope of roving wiretaps,
where law enforcement can access communications from any device used by a suspect, rather
than needing to get a new order for each phone
or computer;27
•Broadly increases the scope of emergency
orders to trace communications, which apply before a judge approves a court order;28
•Allows one court order for tracing communications to apply nationwide, rather than requiring a new order in the district where a communications provider operates;29
•Allows a much broader category of cases to
use information developed under the Foreign Intelligence Surveillance Act, where those subject
to wiretaps are not informed of the surveillance
even after the fact;30
•Permits information developed by a grand
jury in a law enforcement proceeding to be
shared with intelligence agencies;31
•In a “computer trespasser” provision that
was never the subject of a Congressional hearing, permits law enforcement officials to set up
extended residence at a communications provider to surveil the communications of unauthorized users.32
The focus on surveillance, so evident in the USA-PATRIOT
Act, nonetheless captures only part of the story. In many instances we see “security and privacy,” where the two are comEconomic Theory, available at http://www.arxiv.org/abs/cs.CY/0109089 (last
visited Apr. 7, 2002).
27. See Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism (USA-PATRIOT Act) Act
of 2001, Pub. L. No. 107-56, § 216(b), 115 Stat. 272, 288-90 (2001).
28. See § 212, 115 Stat. at 284-85.
29. See § 219, 115 Stat. at 291.
30. See § 214, 115 Stat. at 286-87.
31. See § 203(a), 115 Stat. at 278-80.
32. See § 217, 115 Stat. at 290-91.
106746366
108
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
plementary. Under the standard approach to privacy protection, good security is an essential fair information practice.33
After all, good privacy policies are worth very little if hackers or
other outsiders break into the system and steal the data. Both
privacy and security share a complementary goal—stopping
unauthorized access, use, and disclosure of personal information. Good security, furthermore, does more than keep the
intruders out. It creates audit trails about which authorized
users have accessed particular systems or data. These audit
trails allow an accounting over time of who has seen an individual’s personal information. The existence of accounting
mechanisms both deters wrongdoing and makes enforcement
more effective in the event of such wrongdoing. To take one
example, the HIPAA medical privacy rule requires an accounting (a log) of who has seen a patient’s data for other than
treatment, payment, or health care operations purposes.34 Patients can see these logs, and the existence of the accounting
mechanism will likely support both privacy (patient confidentiality) and security (prevention of unauthorized uses of the system).
The importance of security and privacy is heightened by an
institutional dynamic that becomes especially salient after September 11. Our experience in implementing privacy in the U.S.
Government and in the private sector suggests that the most
cost-effective and thorough implementation of privacy occurs at
the time of a computer system overhaul. This approach was
fundamental to the way that Congress designed and the Clinton Administration implemented HIPAA. HIPAA requires
standardized electronic formats for most health transactions.35
Implementation of the HIPAA transaction rule, which defines
those formats, was joined together with implementation of the
security and privacy rules.36 In this way, both security and
33. See Swire, supra note 15, at PAGE cite to page where last sentence of
Part I appears, right before Part I.A. in Finacial Privacy Article!(page 4 of
master copy)
34. 45 C.F.R. § 164.528 (2000).
35. See 65 Fed. Reg. 50,312, 50,369 (Aug. 17, 2000) (to be codified at US
C.F.R. pt. 162) (requiring covered entities to conduct standardized transactions).
36. The linked nature of the transaction and privacy rule can be seen, for
instance in the announcement of the final privacy rule, where the costs and
benefits of the two rules were considered together, producing “a net savings of
approximately $12.3 billion for the health care delivery system while improving the efficiency of health care as well as privacy protection.” Protecting the
106746366
3/3/2016 1:49 AM
2002]HEALTH CARE PRIVACY AFTER SEPTEMBER 11 109
privacy could be included as part of the system overhaul of
moving many medical records from paper to electronic formats.
This idea of linking privacy with a system overhaul becomes even more important after September 11. Government
and private computer system owners are now making security
a much higher priority, and many systems will be overhauled
in the interest of improved security.37 Instead of this being a
systematic threat to privacy, as suggested by the “security vs.
privacy” perspective, these new systems present an important
opportunity to build good data handling practices generally into
the new systems. The Information and Privacy Commissioner
for the Province of Ontario, Ann Cavoukian, has launched an
initiative known as STEPS (Securities Technology Enhancing
Privacy).38 This initiative is designed expressly to team security upgrades with good technological practices for privacy protection. When greater resources are devoted to computer security, there is a strategic opportunity to upgrade good privacy
and other data handling practices at the same time.
II. THE HIPAA PRIVACY RULE, PUBLIC HEALTH, AND
PUBLIC SAFETY
The discussion thus far has shown that it is possible for security and privacy to work either together or at cross-purposes.
To the extent the latter is true, a worrisome question after the
World Trade Center attacks is whether the HIPAA privacy rule
was drafted without sufficient attention to the public health
and public safety concerns that became so prominent after the
attacks. We now briefly describe the privacy rule and then examine the extent to which it already incorporates these public
health and public safety concerns.
Privacy of Patients’ Health Information: Summary of the Final Regulation,
http://www.privacy2000.org/archives/HHS_12-20-00_fact_sheet_the_Final_Regulation.html (Dec. 20 2000).
37. See e.g., Alex Leary, Nuclear Plants Step Up Security, ST.
PETERSBURG TIMES, Feb. 15, 2002, at 4B (reporting that federal authorities
asked state and local officials to comb their Web sites and scrutinize information about nuclear power facilities): Jennifer McKee, LANL Yanks Web Info, ALBUQUERQUE J., Nov. 17, 2001, at 1 (reporting that officials at Los Alamos
National Laboratory (LANL) removed information from their Web site, in response to a directive from the National Nuclear Security Administration).
38. Ann Cavoukian, Technology Can Ensure Both Privacy and Security,
KITCHENER-WATERLOO REC., Jan. 10, 2002, at A13.
106746366
110
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
A. THE HIPAA PRIVACY RULE
As discussed above, the Health Insurance Portability and
Accountability Act of 1996 required health providers and plans
to shift toward standardized, electronic formats for sharing
medical records. Congress initially contemplated that it would
enact medical privacy legislation by the summer of 1999. When
it did not do so, the Department of Health and Human Services
assumed the power to issue a HIPAA privacy regulation. The
proposed rule was announced in October 1999. After a round of
53,000 public comments, President Clinton announced the final
regulation in December 2000. In April 2001, President Bush
confirmed that the rule would go into effect essentially as
drafted, with actual compliance by April 2003.
To summarize key aspects of this far-reaching rule, the
federal regulation will now require health care providers,
health plans, and health care clearinghouses to:
•Provide notice of their information practices;39
•Use and disclose protected health information only with patient permission, except in
cases where designated national priorities warrant otherwise;40
•Permit patients to access and request correction of their records;41
•Provide patients an accounting of to whom
their protected health information has been disclosed;42
•Limit the use and disclosure of protected
health information to the minimum necessary
amount;43
•Implement security safeguards to protect
against unauthorized access or disclosure;44 and
•Obtain satisfactory assurances, via a written contract, that their business associates using
protected health information are protecting the
39.
40.
41.
42.
43.
44.
45 C.F.R. § 164.520(a)(1) (2001).
See id. at § 164.512.
Id. at § 164.526(a).
Id. at § 164.528(a)(1).
Id. at § 164.502(b)(1).
Id. at § 164.530(c)(2).
106746366
3/3/2016 1:49 AM
2002]HEALTH CARE PRIVACY AFTER SEPTEMBER 11 111
privacy of that information.45
A central feature of the privacy rule is a set of limitations
on uses and disclosures of protected health information. In
general, the rule prohibits protected health information (“PHI”)
from being released to third parties, or used by the health care
industry, except as directed by the patient in signed consent or
authorization forms.46 If the rule did not have exceptions, it
would indeed impose serious obstacles to anti-terrorism efforts.
Any government agency would be refused access to medical information unless the subject of the record provided written
documentation permitting such release. Permission might be
difficult to get, to say the least, if the individual were engaged
in terrorist activities.
The rule does have exceptions, however. Patient permission is not required for defined national priority purposes.47 It
is only by examining these exceptions carefully that we can determine the extent to which the HIPAA privacy rule, drafted
before September 11, remains appropriate in light of heightened concern about terrorist activities.
45. Id. at § 164.502(e)(2).
46. As this article was being completed, the Bush Administration proposed changes to the medical privacy rule. One change would eliminate the
requirement that covered entities get consent in advance of using or disclosing
protected health information for specified purposes, notably for treatment,
payment, and health care operations. The proposed changes would retain the
requirement of opt-in patient authorization before the health information is
used or disclosed for purposes outside of those specified in the rule. See 67
Fed. Reg. 14,776, 14,812 (proposed Mar. 27, 2002), www.hhs.gov/ocr/hipaa/
promods.pdf (date revised Mar. 27, 2002).
47. In addition to the public health and public safety provisions, see infra
Parts III.B, III.C, other exceptions were defined for uses and disclosures: required by law; about “victims of abuse, neglect or domestic violence”; for
“health oversight activities”; for “judicial and administrative proceedings”;
about decedents; for “cadaveric organ, eye or tissue donation purposes”; for
“research purposes”; for “specialized government functions”, including for military activities, and protective services for the President , “medical suitability
determinations” for the State Department, “correctional institutions”, and
public benefit programs; and for workers’ compensation. 45 C.F.R. § 164.512.
This extensive list, based on extensive comments within the government and
from the public, suggests the wide range of issues that were considered in the
promulgation of the HIPAA privacy rule. Criticisms of the rule (some of which
are undoubtedly valid) should thus be based on particularized attention to its
shortcomings as drafted rather than broad assertions that the rulemaking
process did not consider a particular issue or concern.
106746366
112
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
B. DISCLOSURE FOR PUBLIC HEALTH PURPOSES
In October 2001 the appearance of anthrax spores in the
U.S. mails, and subsequent infection of dozens of people, created an array of important challenges for the public health community. It was abundantly clear that use and disclosure of
considerable personal health information would be needed to
respond to these challenges.48
Public health officials, for instance, needed to understand
the scope of the anthrax impact, including knowing the number
of anthrax-infected people. To determine the scope of the problem, PHI was needed from physicians, hospitals, emergency
rooms, and laboratories, as well as from public health authorities and anyone else possessing information on the threat.49
Public health officials, especially during the height of the
anthrax scare, needed to identify people who might be at risk
for infection, and thus had reason to learn about the activities
and contacts of individuals whose infection was already suspected or confirmed. This identification effort required disclosing PHI to co-workers, neighbors, family members, and at
times the general public. These “warning” disclosures often
come with the victim’s permission. One can easily envision,
however, situations where the permission will not be provided.
Sometimes there are administrative snags, such as when the
patient is no longer easily available to give signed permission.
Law-abiding people might choose not to give permission, including unusually private people, people in denial of their illness, those seeking to guard loved ones from painful information, and those suspicious for whatever reason about turning
over information to government agencies. Those on the wrong
side of the law, from undocumented aliens to criminal conspira-
48. See Dr. Jeffrey P. Koplan, Building Infrastructure to Protect the Public’s Health, Address Before the Association of State and Territorial Health
Officials, at http://www.phppo.cdc.gov/documents/KoplanASTHO.pdf (last visited Apr. 14, 2002) (statement by the director of the Centers for Disease Control and Prevention naming “accessible information systems” and “solid communication” as two of seven priorities for a public health infrastructure).
49. See Rea Blakey, Six Months Later: Anthrax Lessons Learned, CNN, at
http://www.cnn.com/2002/HEALTH/03/26/anthrax.lessons/index.html
(Mar.
26, 2002) (reporting that medical specialists note that among the lessons
learned from the anthrax scare include the needs of quickly identifying the
most vulnerable potential victims, sharing sensitive information, and improving communication between various government entities and public health
doctors).
106746366
3/3/2016 1:49 AM
2002]HEALTH CARE PRIVACY AFTER SEPTEMBER 11 113
tors or terrorists, would generally be unwilling to disclose their
activities or confederates.
The need for information sharing would be even greater if
the public health threat came from a highly communicable and
deadly disease, such as smallpox. In some instances, such as
an epidemic or the detection of infectious carriers of the disease, public health authorities might require PHI of thousands
or even more people to contain the disease, vaccinate exposed
populations, and take other countermeasures.50
With the importance of information sharing clearly in
mind, we turn to the relevant language in the privacy rule.
The rule generally authorizes a covered entity such as a hospital to disclose PHI for defined “public health activities and purposes.”51 Notably, disclosure is allowed to any
public health authority that is authorized by law to collect or receive
such information for the purpose of preventing or controlling disease,
injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of
public health surveillance, public health investigations, and public
health interventions.52
Going beyond public health authorities, the rule authorizes
disclosure to
a person who may have been exposed to a communicable disease or
may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by
law to notify such person as necessary in the conduct of a public
health intervention or investigation.53
The effect of this regulatory language is great flexibility in
the release of public health information. The term “public
health authority” is defined broadly.54 PHI can flow to any
50. Based on the premise that a smallpox outbreak will “necessitate extensive communication activities,” the CDC’s “Interim Smallpox Response
Plan & Guidelines” calls for “a policy of full disclosure” of information, and
specifically the immediate release of information regarding the circumstances,
exposure source, and other details of patients with confirmed cases of smallpox. CENTERS FOR DISEASE CONTROL AND PREVENTION, U.S. DEP’T OF
HEALTH AND HUMAN SERV. INTERIM SMALLPOX RESPONSE PLAN AND
GUIDELINES, GUIDE E: COMMUNICATIONS PLANS AND ACTIVITIES, E2
http://www.bt.cdc.gov/DocumentsApp/Smallpox/RPG/GuideE/Guide-E.pdf
(Jan. 23, 2002).
51. 45 C.F.R. § 164.512(b)(1).
52. Id. § 164.512(b)(1)(i).
53. Id. § 164.512(b)(iv).
54. The term “public health authority” means:
an agency or authority of the United States, a State, a terri-
106746366
114
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
public health authority that is “authorized by law” to collect or
receive such information for public health purposes. These
purposes include, but are not limited to, the reporting of disease and injury and the conduct of three undefined but apparently broad categories of activity: public health surveillance,
public health investigations, and public health interventions.
Applied to an anthrax or smallpox outbreak, it would appear that the current privacy regulation would permit a hospital to share information with local, state, and federal authorities in ways that would further the public health. The only
important limit under the regulation appears to be the requirement that the public health authority be “authorized by
law” to collect or receive the information. One can imagine a
particular state or local authority that currently lacks this sort
of formal authorization. In such instances, there is a logical
basis for exploring whether to update the law to provide authorization. Such updating, however, is entirely within the discretion of the relevant legislature and the HIPAA privacy rule
does not constrain that decision.
In many ways, as we examine further below, the more serious legal issue arises from a different gap in the HIPAA legislation. The statute applies directly only to “covered entities,”
which are health providers, health plans, and health care clearinghouses.55 It applies indirectly to the business associates of
those entities, such as agents who handle health information
on behalf of one of the covered entities.56 The statute does not,
however, apply to public health agencies or those who receive
information from such agencies. In drafting the regulation, the
Department of Health and Human Services simply lacked authority to craft privacy and security protections once the data
was in the hands of the public health agencies. In light of the
liberal rules for supplying public health information to the
agencies, the biggest privacy and security issues going forward
tory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including
the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority,
that is responsible for public health matters as part of its official mandate.
Id. § 164.501.
55. See id. §§ 164.500(a), 164.501.
56. See id. § 164.500(b)(1).
106746366
3/3/2016 1:49 AM
2002]HEALTH CARE PRIVACY AFTER SEPTEMBER 11 115
are likely to arise in the largely unregulated instances once the
public agencies have received the data.57
C. REPORTING SUSPICIOUS ACTIVITY
We now turn to the provisions under the HIPAA rule that
govern the release of health information to law enforcement
and other public safety officials. Prior to the rule, professional
ethical codes and some state laws limited the disclosure of
health information to these officials. There was no national
law limiting disclosure, however, and police officers could simply walk into a doctor’s office or emergency room in many jurisdictions and receive patient information without the patient’s
consent and without legal limits. The privacy rule created new
requirements before covered entities could share health information with law enforcement officials.58
In considering whether the new privacy rule went too far,
consider how health information might be important to national security in the following examples:
Suppose as an emergency medical technician (EMT) you
rush to the scene of a terrorist bomb attack. You observe, only
minutes after the blast, an individual who appears to have
been wounded by the attack, who is agitated, and who asks you
to treat him but not report to anyone that you have seen him.
Suppose that you are a nurse treating an individual for
possible anthrax exposure, and learn that the patient is a scientist with strong anti-American views.
In both of these cases you might reasonably believe that
you have evidence that the person is a terrorist who has already struck or who is planning to strike. But you are also a
health care professional, with a general duty to protect the confidentiality of patient data. If evidence of every crime becomes
a reason to disclose information to the police, then underage
drinkers, users overdosing on drugs, HIV-positive people who
have not practiced safe sex, and people who may be a danger to
themselves or others all may avoid getting needed health care.
How does the HIPAA privacy rule address this trade-off
between reporting the information and keeping it confidential?
57. See Lawrence O. Gostin, Scott Burris & Zita Lazzarini, The Law and
the Public’s Health: A Study of Infectious Disease Law in the United States, 99
COLUM. L. REV. 59, 125-26 (1999) (discussing the lack of privacy safeguards in
the public health system).
58. See 45 C.F.R. § 164.512(f), (j).
106746366
116
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
The answer is that HIPAA specifically treats public safety as a
national priority that, under certain circumstances, trumps the
need to obtain patient permission for disclosures of health information. For the bomb attack, anthrax scientists, and other
security threats it does so through three primary provisions:
national security, emergency circumstances, and disclosure to
law enforcement more generally.
1. National Security Provision
To begin with, the little-discussed national security provision in HIPAA provides one way for the emergency medical
technician or nurse to report their suspicions. Section 512(k)(2)
of the rule states that a covered entity “may disclose protected
health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities” authorized by the National Security
Act and implementing authority.59
We hope and expect that the vast bulk of medical professionals will go through their career without ever having any
reason to disclose information under the HIPAA national security provision. Its presence in the regulation, however, makes
clear that national security information can be reported by
medical professionals even without patient consent.60 The reassuring corollary, for those wondering whether the privacy
rule undermines national security, is that the drafters of the
privacy rule had in fact contemplated possible national security
implications before September 11.
2. Emergency Circumstances
Section 512(j) of the privacy rule permits a covered entity
to come forward with health information in certain serious situations, including the nurse and possibly the EMT case.61 The
covered entity must comply with applicable law and standards
of ethical conduct. If it does, then it may disclose PHI if it believes, in good faith, that the use or disclosure: “[i]s necessary
to prevent or lessen a serious and imminent threat to the
59. Id. § 164.512(k)(2) (citation omitted).
60. Under the general approach of the privacy rule, the covered entity
complies with the rule so long as the disclosure is in “good faith.” See id. §
164.512(j)(4).
61. See id. § 164.512(j).
106746366
3/3/2016 1:49 AM
2002]HEALTH CARE PRIVACY AFTER SEPTEMBER 11 117
health or safety of a person or the public”62 and “[i]s to a person
or persons reasonably able to prevent or lessen the threat”63
Reporting about a person apparently engaged in spreading anthrax would seem clearly to lessen such a threat to the public
safety. Reporting the possible terrorist bomber would qualify
if, in good faith, the covered entity believed that capture of the
bomber would lessen a serious and imminent threat to the public safety.
Section 512(j) has a second potentially relevant provision.
Disclosure is permitted by the covered entity if it would be
“necessary for law enforcement authorities to identify or apprehend an individual . . . [b]ecause of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious
physical harm to the victim.”64 The relevant factual question
here would be whether the apparent terrorist bomber had,
through his attempt to have the medical provider hide his identity, made “a statement by an individual admitting participation in a violent crime.” The mere statement of wanting confidentiality likely would not be such a statement, because there
are so many other reasons an individual might want confidentiality.65 Nonetheless, if the EMT’s patient actually confessed
to participating in the terrorist attack, the EMT could certainly
report to law enforcement.
3. General Law Enforcement Provisions
The national security and emergency circumstances provisions each provide possible ways for the nurse or the EMT to
volunteer information to the authorities about possible terrorist
activities. The general law enforcement provisions in the privacy rule, by contrast, generally govern how a covered entity
may disclose information in response to questions from law enforcement.
The basic rule is that a covered entity may supply PHI to a
62. Id. § 164.512(j)(1)(i)(A) (emphasis added).
63. Id. § 164.512(j)(1)(i)(B).
64. Id. § 164.512(j)(1)(ii).
65. Suppose the individual had told a boss, a friend, or a family member
that he was going to be somewhere else, and would be embarrassed to have his
true location known. The reasons for secrecy may or may not be creditable
(secret shopping for a birthday present would hardly be cause for moral censure), and the mere request for confidentiality should not be considered an
admission of participation in a violent crime for purposes of the privacy rule.
106746366
118
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
law enforcement official based on a court order, grand jury subpoena, or special administrative subpoena that certifies compliance with privacy-protective criteria.66 This approach is less
strict than the standard requested by many privacy advocates
and industry groups, which would have been the Fourth
Amendment standard of probable cause as found by an independent magistrate.67 The approach is stricter, however, than
the previous federal rule that allowed medical providers to turn
over medical records without any legal process.68 As applied to
our nurse and EMT examples, the general rule would permit
covered entities to supply the records to law enforcement officials if and only if the officials made a lawful request to the
covered entity that had the relevant information.
The rule is a notch less strict where a law enforcement official requests information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. In
such instances, the covered entity may supply basic identifying
information, but not the entire medical record, even in the absence of legal process.69 This provision might be very useful to
66. Id. § 164.512(f)(1). For the administrative subpoena, the following criteria must be met: “(1) the information sought is relevant and material to a
legitimate law enforcement inquiry; (2) [t]he request is specific and limited in
scope to the extent reasonably practicable . . . ; and (3) [d]e-identified information could not reasonably be used. Id. § 164.512(f)(1)(ii)(C).
67. In its recommendations for legislation regarding the use of medical
records and information, the National Coalition for Patient Rights states:
We feel strongly that law enforcement access to medical records should be governed by the same standards of other information gathered in the course of criminal investigations,
namely, a court order. The potential for the abuse by law
enforcement agencies and personnel is far too great if they
are given unrestricted access to medical records.
National Coalition for Patients Rights, Protecting the Privacy of Medical Records: An Ethical Analysis, http://www.nationalcpr.org/WP-recomm.html (last
visited Apr. 7, 2002).
68. See id.
69. The information that can thus be disclosed includes:
A) Name and address; (B) date and place of birth; (C) Social
security number; (D) ABO blood type and rh factor; (E) type
of injury; (F) date and time of treatment; (G) date and time
of death, if applicable; and (H) A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial
hair (beard or moustache), scars, and tattoos.
45 C.F.R. § 164.512(f)(2)(i).
106746366
3/3/2016 1:49 AM
2002]HEALTH CARE PRIVACY AFTER SEPTEMBER 11 119
law enforcement, for example, in finding a suspected terrorist
with a known description, without the need to get legal process
for each emergency room or doctor’s office in a large city.70
4. Summary on Reporting Suspicious Activity
The existence of the national security, emergency circumstances, and law enforcement provisions indicate that there
was extensive deliberation in the drafting of the HIPAA privacy
rule about how to achieve both privacy and protection of public
safety. When the Clinton Administration made detailed legislative recommendations in 1997, it supported the status quo for
law enforcement, with no federal legal limits on the disclosure
of health information to police.71 After public debate on the issue, the proposed HIPAA privacy rule in 1999 added the general law enforcement provisions much as they exist today. After further public debate and extensive written comments,
including from the Department of Justice, the final privacy rule
in 2000 added the emergency circumstances provision. At the
time the rule was announced, President Clinton also issued an
Executive Order that limited the way that information gathered for health oversight purposes could be used in law enforcement activities.72
70. There are other exceptional circumstances that permit a covered entity to disclose PHI to a law enforcement official without an initiating request
from that official. Those situations involve either PHI “that the covered entity
believes in good faith constitutes evidence of criminal conduct that occurred on
premises” or, in medical emergencies off premises, where the disclosure appears necessary to alert law enforcement to basic information regarding the
commission of a crime. Id. § 164.512(f)(6). These particular provisions might
enable the EMT or the nurse, described above, to report suspicious activity,
depending on the factual circumstances.
71. Confidentiality of Individually-Identifiable Health Information: Recommendations of the Secretary of Health and Human Services, Pursuant to
Section 264 of the Health Insurance Portability and Accountability Act of 1996,
http://www.epic.org/privacy/medical/hhs_recommendations_1997.html (Sept.
11, 1997) (recommending that the privacy laws governing disclosure of health
information to police “should neither expand nor contract” because the police
can already “obtain, share, and use health information without patient consent and without legal process”) .
72. Exec. Order No. 13181, 65 Fed. Reg. 81321 (Dec. 26, 2000). The
HIPAA privacy rule grants quite broad powers for health oversight agencies to
have access to patient medical records, for the purpose of preventing fraud by
the health care provider or plan. See 45 C.F.R. § 164.512. The point of the Executive Order is that this ability to see medical records for purposes of monitoring the performance of the covered entity should not be used as a back door
106746366
120
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
This history in the law enforcement area matches the discussion above about public health. In both instances, there was
substantial consideration of the issues during the drafting of
the privacy rule. Individuals in good faith may disagree with
the outcome of the final rule. Some will believe that the law
enforcement provisions are too strict, frustrating efforts to protect the public safety. Others will believe them too loose, allowing police to rummage too easily into individuals’ confidential
medical records without the requirement of an independent
magistrate first issuing a warrant. The examples of the nurse
and the EMT, however, suggest that existing law would allow
disclosure of medical information in situations involving evidence of terrorism. Any change to the law enforcement provisions should be based on particularized arguments about specific flaws, not vague assertions that the relevant issues are
entirely new since September 11.
III. PROPOSED CHANGES TO PUBLIC HEALTH LAWS
The Article to this point has discussed how the existing
HIPAA privacy rule already reflects extensive consideration of
the public health and public safety issues that came to the forefront after the 2001 terrorist attacks. On October 23, 2001
symposium co-authors Lawrence Gostin and James Hodge released their Model State Emergency Health Powers Act to provide comprehensive guidance to state lawmakers looking to be
better prepared for public health emergencies.73 The Model Act
would appoint a planning Commission to develop a public
health emergency plan.74 It would establish criteria and processes for declaring a “state of public health emergency.”75 It
would provide for special powers during such a state of emergency, including for example: access to and control of materials,
for law enforcement to get records about individual patients. The Executive
Order applies only to federal law enforcement officials who are subject to the
President’s authority, although it may be a useful model for state rules limiting use of health information received for oversight purposes.
73. For an early draft of the Model Act, see MODEL STATE EMERGENCY
HEALTH POWERS ACT www.publichealthlaw.net/MSEHPA/MSEHPA.pdf (Oct.
23, 2001). For the revised version, see MODEL STATE EMERGENCY HEALTH
POWERS ACT (2001), available at www.publichealthlaw.net/MSEHPA/
MSEHPA2.pdf (Dec. 21, 2001) [hereinafter Model Emergency Act]. Citations
are made to the revised version except where otherwise noted.
74. MODEL ACT §§ 201-02.
75. Id. § 401-402.
106746366
3/3/2016 1:49 AM
2002]HEALTH CARE PRIVACY AFTER SEPTEMBER 11 121
facilities, roads, and public areas; safe disposal of infectious
waste and human remains; protecting persons via medical examination and testing, vaccination and treatment, and isolation and quarantine.76
In terms of information policy, James Hodge at the Symposium proposed what he called a “model of information sharing”
for health information rather than the model of information
privacy that he sees reflected in the current HIPAA rules.77
The Model Act mandates a great deal of information sharing at
all times, and not just during the state of public health emergency that is addressed in some other provisions. The Model
Act provides for mandatory reporting by health care providers
(including laboratories), coroners, and medical examiners of “all
cases of persons who harbor any illness or health conditions
that may be potential causes of a public health emergency.”78
It requires that pharmacists “report any unusual or increased
prescription rates, unusual types of prescriptions, or unusual
trends in pharmacy visits that may be potential causes of a
public health emergency.”79 Section 302 addresses “tracking”
and requires public health authorities to identify “all individuals thought to have been exposed to an illness” that might
cause a public health emergency, interview such individuals to
identify exposed individuals and “develop information relating
to the source and spread of the illness.”80 The Model Act allows
information sharing between and among the “public health authorities, public safety authorit[ies], tribal authorities, and federal health and public safety authorities.81 These provisions, in
sum, call for substantial, ongoing and often legally required information collection and sharing of medical data by relevant
authorities.
Along with these new information collections, the Model
Act includes provisions incorporating privacy principles. Section 303 limits information sharing among relevant agencies to
the amount “necessary for the treatment, control, investigation,
and prevention of a public health emergency.”82 Section 607
76.
77.
78.
79.
80.
81.
82.
Id. § 501-02.
Information on file with author.
MODEL ACT § 301(a).
Id. § (301)(b).
Id. § 302(b).
Id. § 303(b).
Id. § 303(c).
106746366
122
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
permits access to PHI only for those having a legitimate need
for the information to provide treatment, conduct epidemiological research, and investigate the causes of transmission.83 This
section also limits disclosure to defined classes such as family
members, federal agencies pursuant to law, court orders, and to
identify a deceased individual or determine the manner or
cause of death.84
In examining the Model State Emergency Health Powers
Act, we begin with agreement that existing state public health
law, often drafted in response to communicable disease epidemics of a century ago or more, may well need updating in numerous respects. We also note that the authors Gostin and Hodge
have previously worked extensively on medical privacy issues
in their Model State Public Health Privacy Act of 1999.85 Their
December 21, 2001 draft addressed a number of the privacy
criticisms that were made of the original October 23, 2001 draft
and they have indicated that they would support considering
the model privacy act with the model emergency health powers
act.
With that said, however, we have a number of concerns
about the current form of the project. The first concerns its title. It is called the “Model State Emergency Health Powers
Act,” yet many of its provisions, including the mandatory information sharing provisions, would apply on a permanent basis and not only once an emergency had been declared. It does
a disservice to the public debate to pretend that a bill is about
public health emergencies when its provisions instead apply
much more generally.
Second, the current draft is still very incomplete in the area of privacy protections. The Health Privacy Project has submitted detailed comments showing how the Model Act lacks
standard privacy protections including: access and disclosure
requirements for data collected prior to a public health emergency; limits on the amount and type of PHI needed to accomplish specific purposes; limits on which sort of government
agencies can access the data; enforcement and penalty provisions for violations; information security requirements; and so
83. Id. § 607(a).
84. Id. § 607(b).
85. See MODEL STATE PUBLIC HEALTH PRIVACY ACT (1999), available at
http://www.critpath.org/msphpa/modellaw5.htm (Oct. 1, 1999).
106746366
3/3/2016 1:49 AM
2002]HEALTH CARE PRIVACY AFTER SEPTEMBER 11 123
on.86
The importance of including these privacy protections is
made even clearer in light of our discussion, above, of “security
and privacy.” A key point there was that privacy protections
will be implemented more effectively and at lower cost if they
are included at the time of a system overhaul. The anthrax incidents have focused far greater political attention on the public health system, creating what may be a once-in-a-generation
opportunity to update public health laws. The Model Act would
require large new categories of information sharing. For the
new public health system to handle data appropriately, effective privacy protections should be created at the same time. If
we don’t, we can readily anticipate incidents where state and
local public health agencies are embarrassed in the media by
incidents of sloppy handling of the increased flows of confidential health data. The result, in turn, could be greater reluctance on the part of many patients to share data with their
providers and providers to share data with the public health
agencies, undermining the mission of public health. For these
reasons of public health protection and cost-effective overhaul
of the systems, privacy protections should be an integral part of
new initiatives to increase public health data flows.
A third concern addresses the “model of information sharing” that James Hodge advocated at the Minnesota Law Review
Symposium. We do not agree that “information sharing” is the
way to describe how to handle patients’ medical records. The
United States is now in a period of implementing the HIPAA
privacy and security rules, a large effort that underscores the
importance of treating patients’ records with care and confidentiality. We believe that confidential treatment of medical records is a vital norm, widely shared by medical professionals
and almost universally favored by individual patients. To
abandon that norm, and shift to a “model of information sharing” for medical records, would be to undermine the implementation of HIPAA and the public confidence that patients can
trust their medical providers.
The existing HIPAA privacy rule offers a better way to con86. See Letter from Jantori Goldman, Director & Joanne L. Hustead, Senior Counsel, Health Privacy Project, to Lawrence O. Gostin, Professor and Director, Center for Law & the Public’s Health “HPP Comments on Draft Model
State Emergency Gealth Powers Act,” (Jan. 18, 2002), available at http://
www.healthprivacy.org/usr_doc/HPP%20comments%
20on%20model%20law%20Epdf.
106746366
124
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
ceptualize the relationship between confidentiality and data
sharing. The rule begins with an assumption that PHI will be
treated confidentialy.87 It then contemplates that PHI can be
shared for the basic purposes of treatment, payment, and
health care operations. Patients want and expect their medical
records to be used by those engaged in treatment and these
other basic purposes. The rule in addition contemplates a series of national priority purposes, including public health, law
enforcement, national security, medical research, and so
forth.88 For each of these purposes, there was an extensive
public process to determine the situations in which PHI could
be used or disclosed without patient consent.
This Article’s examination of the public health and reporting of suspicious activity indicates that the HIPAA privacy rule
appears to stand up well to the changed circumstances after
September 11. At the Minnesota Symposium, co-author Swire
asked James Hodge if he could name a single instance where
the HIPAA provision on public health posed an obstacle to sensible sharing of information. Mr. Hodge could not name a single instance, although this questioning occurred on the spot
and greater research might reveal such an instance. In the absence of identifiable problems in the current privacy rule, it
seems premature, to say the least, to claim that an entirely new
paradigm, the “model of information sharing,” is somehow
needed at this time.
CONCLUSION
In the days, weeks, and months after the attacks on the
World Trade Center and the Pentagon, many of us have had
the feeling that we wanted to “do something” to help respond to
the tragedy and ensure that similar attacks do not happen
again.
Politicians seeking public approval and possible
reelection are probably at least as prone as ordinary citizens to
want to show that they are “doing something” to face the new
circumstances. One understandable result was to pass new
laws that demonstrate the strong, and often sincere, feelings of
political leaders and the public.
87. The first major purpose of the rule is to “protect and enhance the
rights of consumers by providing them access to their health information and
controlling the inappropriate use of that information.” See 65 Fed. Reg.
82,462, 82,463 (Dec. 28, 2000).
88. See 45 C.F.R. §164.512.
106746366
3/3/2016 1:49 AM
2002]HEALTH CARE PRIVACY AFTER SEPTEMBER 11 125
The new surveillance provisions of the USA-PATRIOT
Act are one example of the political response to the September
11 attacks. Time will tell us much about the desirability of the
new government powers. By the time the act sunsets in 2004,
we will be in a better position to assess whether the new powers are a valuable response to the new threats of a dangerous
world or else an overreaction to a terrible, one-time tragedy.
Between now and 2004 those of us who care about these issues
have an important homework assignment. We should help the
Congress to understand the strengths and weaknesses of the
USA-PATRIOT surveillance provisions, and take advantage of
the intervening time to have a thoughtful and informed public
debate on how to achieve security and privacy in this area.
In the area of medical privacy, this Article’s analysis indicates that the rule stands up well to the concerns of the postSeptember 11 era. Concerns about public safety are met by existing provisions that permit disclosures to protect national security, to react to emergency circumstances, and to respond to
law enforcement inquiries. Concerns about public health, as
suggested by the anthrax incident, are also met by the current
rule. We are not aware of any needed disclosures for public
health purposes that are prohibited by the medical privacy
rule.
A broader message of this Article is that the protection of
privacy and security is often best done together. The most effective and least costly way to protect both is to insist on doing
so at the time of a computer system upgrade. For medical records, we are in the middle of a one-time shift from the mostlypaper records that existed in 1990 to the mostly-electronic
records that will exist by 2010. The 1996 HIPAA statute correctly required that privacy and security protections should be
an integral part of this one-time shift. Health care providers
and plans will assuredly shift to electronic systems when required to do so in order to qualify for payment by Medicare and
other sources. There is no better time to insist on shifting to
privacy and security safeguards as well.
This insight teaches a lesson as well about how state
public health laws should be updated as legislatures react to
the experience of the anthrax attacks. The anthrax attacks,
and the resulting public attention to public health issues, create the possibility of a once-in-a-generation overhaul of public
health statutes. These state public health authorities are not
generally covered by the HIPAA privacy and security require-
106746366
126
3/3/2016 1:49 AM
MINNESOTA LAW REVIEW
[Vol.86:pppp
ments. If and when state legislatures move forward with new
public health legislation, it is crucial to create privacy and security safeguards as an integral part of the new information
systems that will handle our public health records in the future. This is the best route to achieving the privacy and security that most Americans desire and that we can achieve.
Download