Understanding Privacy offers a comprehensive overview of the many difficulties involved in discussions of privacy. Drawing from a broad array of interdisciplinary sources, I set forth a framework for understanding privacy that provides clear practical guidance for engaging with privacy issues.

Some experts are skeptical, asking how these sites will guarantee patient privacy.  One [...]]]> Patients of rare diseases find that drug companies have little interest in devoting limited R&D budgets to diseases of small populations.  As a result, patients have begun to strike out on their own in the search of cures.  As The New York Times explains, patients increasingly share their medical information (including details about their everday experiences living with a disease) online in the hopes that other similarly-situated patients will do the same.  This would permit interested academic researchers to mine the data for observations about their diseases.  Patients see online communities as offering new ways to transform medical research–especially into rare diseases that elude the current model of large-scale studies of widespread conditions.

Some experts are skeptical, asking how these sites will guarantee patient privacy.  One imagines that these sites will respond to privacy concerns by employing anonymization practices.  For instance, sites might delete personal identifiers like names and social security numbers and remove other potential identifiers, such as names of next of kin or student ID numbers.  This ostensibly permits researchers to use the amassed data without concomitant privacy risks.  But, as Paul Ohm’s important and engrossing new paper Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization argues, technology renders this privacy-protection option obsolete.  Computing advances now permit clever adversaries to reidentify or deanonymize the people hidden in anonymized databases.  This means that datasets that were meant to be kept apart are easily rejoined, allowing sensitive secrets to be  revealed.

Patients may of course be willing to take that risk if their particpation in open-source research leads to cures of rare diseases.  Yet patients also jeopardize their offsprings’ privacy: if medical information can be reidentified with ease and linked with other datasets, a patient’s children may get caught up in that web of re-identification.  This may lead to genetic discrimination in the grown-up child’s life.  Grown-up children may be willing to bear that risk–it is, however, worth considering this possibility when assessing privacy concerns related to such open-source research efforts.

As Jacqueline Lipton noted Google Maps has enabled the persistence of race discrimination. Google [...]]]> Space the final frontier. These are the voyages of … ah, you know the rest. Exploration and the idea of frontiers seem to capture an important part of the human experience. The possibility of finding something new, of entering uncharted territories excites people. And, although one may want to keep the secret of the Northwest Passage or the Straits of Magellan a secret, sooner or later a map is created to increase the amount of benefit that can be extracted from the discovery. Yet with the world seeming to collapse into one connected place, the role of maps has changed. In short, maps are a new frontier for property and privacy.

As Jacqueline Lipton noted Google Maps has enabled the persistence of race discrimination. Google Maps has also spawned some other curious creations and connections. For example, I wrote about the flap over what is a true IMAX screen and that folks put together a map of IMAX screens with information about the screen size. The H1N1 (aka swine) flu epidemic revealed an interesting dual use for maps. One person created a frequently updated map with information about claimed incidents. I was curious about the source and found that one person at, what else, a bitotech company focused on recombination and disease, was behind the map. In addition, a group called Health Map seeks to offers a map that connects “disparate data sources to achieve a unified and comprehensive view of the current global state of infectious diseases and their effect on human and animal health.” On the light side, Total Film has a feature that uses Google Street view to show 25 favorite film locations.

As seems always to be the case, folks will probably soon argue about who owns what. The more interesting point might be the way maps show the malleability of information. In some hands, maps show fun things like where a film was shot. In other hands, maps provide useful epidemiological information. Yet, certain home owners may not be pleased about having tourists show up to gawk at what had been a quiet abode. Cities, counties, and even states may be upset if lay people assume that suspected or even confirmed outbreaks mean they should create a de facto or quasi-quarantine. Last, knowing where specific racial, religious, and other groups are can all too easily lead to mob behaviors.

The information mill churns. We have to sort it out. Old tools have new impacts. Today maps pose challenges. Tomorrow it will be something else. I am never certain that the law is the best way to manage these changes. Nonetheless, we have to consider what they are and how they function in case the law is asked to do so. On that note, please share any other creative and/or challenging uses of maps of which you are aware.

Last here is a little music for the trip:

Maps And Legends – R.E.M.

The book is available free for download under a Creative Commons license. One third of the essays are now posted online. The rest will become available in two more stages — on April 22th and May 6th. This is the first book to be published by Oxford University Press under a Creative Commons license.

The book is available on Amazon.com or on [...]]]> There’s a terrific new book of essays about privacy out from Oxford University Press — LESSONS FROM THE IDENTITY TRAIL: ANONYMITY, PRIVACY AND IDENTITY IN A NETWORKED SOCIETY (Oxford University Press 2009). It’s edited by Ian Kerr, Valerie Steeves, and Carole Lucock. The essays are fascinating and are written by a number of very prominent privacy scholars. Highly recommended!

The book is available free for download under a Creative Commons license. One third of the essays are now posted online. The rest will become available in two more stages — on April 22th and May 6th. This is the first book to be published by Oxford University Press under a Creative Commons license.

The book is available on Amazon.com or on our special Concurring Opinions Oxford University Press promo page for 20% off.

Here’s the table of contents:

I. PRIVACY

Introduction to Part I

Chapter 1. Soft Surveillance, Hard Consent: The Law and Psychology of Engineering Consent

by IAN KERR, JENNIFER BARRIGAR, JACQUELYN BURKELL, AND KATIE BLACK

Chapter 2. Approaches to Consent in Canadian Data Protection Law

by PHILIPPA LAWSON AND MARY O’DONOGHUE

Chapter 3. Learning from Data Protection Law at the Nexus of Copyright and Privacy

by ALEX CAMERON

Chapter 4. A Heuristics Approach to Understanding Privacy-Protecting Behaviors in Digital Social Environments

by ROBERT CAREY AND JACQUELYN BURKELL

Chapter 5. Ubiquitous Computing and Spatial Privacy

by ANNE UTECK

Chapter 6. Core Privacy: A Problem for Predictive Data Mining

by JASON MILLAR

Chapter 7. Privacy Versus National Security: Clarifying the Trade-Off

by JENNIFER CHANDLER

Chapter 8. Privacy’s Second Home: Building a New Home for Privacy Under Section 15 of the Charter

by DAPHNE GILBERT

Chapter 9. What Have You Done for Me Lately? Reflections on Redeeming Privacy for Battered Women

by JENA MCGILL

Chapter 10. Genetic Technologies and Medicine: Privacy, Identity, and Informed Consent

by MARSHA HANEN

Chapter 11. Reclaiming the Social Value of Privacy

by VALERIE STEEVES

II. IDENTITY

Introduction to Part II

Chapter 12. A Conceptual Analysis of Identity

by STEVEN DAVIS

Chapter 13. Identity: Difference and Categorization

by CHARLES D. RAAB

Chapter 14. Identity Cards and Identity Romanticism

by A. MICHAEL FROOMKIN

Chapter 15. What’s in a Name? Who Benefits from the Publication Ban in Sexual Assault Trials?

by JANE DOE

Chapter 16. Life in the Fish Bowl: Feminist Interrogations of Webcamming

by JANE BAILEY

Chapter 17. Ubiquitous Computing, Spatiality, and the Construction of Identity: Directions for Policy Response

by DAVID J. PHILLIPS

Chapter 18. Dignity and Selective Self-Presentation

by DAVID MATHESON

Chapter 19. The Internet of People? Reflections on the Future Regulation of Human-Implantable Radio Frequency Identification

by IAN KERR

Chapter 20. Using Biometrics to Revisualize the Canada–U.S. Border

by SHOSHANA MAGNET

Chapter 21. Soul Train: The New Surveillance in Popular Music

by GARY T. MARX

Chapter 22. Exit Node Repudiation for Anonymity Networks

by JEREMY CLARK, PHILIPPE GAUVIN, AND CARLISLE ADAMS

Chapter 23. TrackMeNot: Resisting Surveillance in Web Search

by DANIEL C. HOWE AND HELEN NISSENBAUM

III. ANONYMITY

Introduction to Part III 63.60 Kb

Chapter 24. Anonymity and the Law in the United States

by A. MICHAEL FROOMKIN

Chapter 25. Anonymity and the Law in Canada

by CAROLE LUCOCK AND KATIE BLACK

Chapter 26. Anonymity and the Law in the United Kingdom

by IAN LLOYD

Chapter 27. Anonymity and the Law in the Netherlands

by SIMONE VAN DER HOF, BERT JAAP KOOPS, AND RONALD LEENES

Chapter 28. Anonymity and the Law in Italy

by GIUSELLA FINOCCHIARO

[M]aterial available on the Web shows that people who have specific illnesses or use certain drugs can’t buy coverage.

”This is absolutely the standard way of doing business,” said Santiago Leon, a health insurance broker in Miami. Being denied for preexisting conditions is well known, but when a person sees the usually confidential list of automatic denials for himself, “that’s a eureka moment. That shows you how harsh the system is.” . . . .

Searching the Web, The Miami Herald found underwriting guidelines for Coventry Health Care, which owns Vista; Wellpoint; [...]]]> For the millions of people losing their jobs and having to obtain health insurance on their own, they are in for quite some difficulty if they have a pre-existing condition. According to the Miami Herald:

[M]aterial available on the Web shows that people who have specific illnesses or use certain drugs can’t buy coverage.

”This is absolutely the standard way of doing business,” said Santiago Leon, a health insurance broker in Miami. Being denied for preexisting conditions is well known, but when a person sees the usually confidential list of automatic denials for himself, “that’s a eureka moment. That shows you how harsh the system is.” . . . .

Searching the Web, The Miami Herald found underwriting guidelines for Coventry Health Care, which owns Vista; Wellpoint; Assurant Health; and Blue Cross Blue Shield of Nebraska.

Among the health problems that the guides say should be rejected: diabetes, hepatitis C, multiple sclerosis, schizophrenia, quadriplegia, Parkinson’s disease and AIDS/HIV.

For cancer, the key is how patients have been doing in remission. Wellpoint, a national insurer, rejects applicants who have had breast or prostate cancer within the past five years. With other types of cancer, 10 years must have passed. Assurant Health, based in Milwaukee, rejects most patients whose cancer has not been in remission for at least eight years.

Other reasons for automatic denial by various companies: alcohol-related problems of people who have not been abstinent for at least six years, chronic bronchitis, severe migraines, and a cardiac pacemaker installed within the last two years.

Some insurers will automatically reject applicants who are using certain prescription drugs. Wellpoint denies anyone who within the past year has taken Abilify and Zyprexa for mental disorders as well as Neupogen, which is used to treat the side effects of chemotherapy. Vista lists the anticoagulant Warfarin and the pain medication Oxycontin. Both companies list insulin.

The article also discusses how the insurers use database companies to gather data about people’s medical conditions and prescription drug use:

To make sure that applicants are not lying, insurers hire a data-gathering service — Medical Information Bureau, Milliman’s Intelliscript or Ingenix Medpoint.

Intelliscript and Medpoint do computerized searches of a person’s drug use, gleaned from pharmacy benefits managers and other databases.

The difficulty is that if a person has a disease, then it may be nearly impossible for that person to obtain health insurance. My advice: (1) stay employed; (2) don’t get ill. Otherwise, you’re basically out of luck.

The surge in identity theft, and cyber crime more generally, should have us [...]]]> According to a Javelin Strategy & Research study, the incidence of identity theft jumped sharply in 2008, up 22% from the prior year. Over 9.9 million Americans fell victim to criminals who used their identifying information to borrow money, empty bank accounts, and other modes of financial impersonation. This is unsurprising news given the current state of our economy: experts predict a sharp rise in cybercrime in 2009 as financial gain from stealing data is increasingly more attractive in times of economic crisis. And if the economic downturn isn’t enough incentive, the difficulty and low incentives to catch identity thieves certainly suggests to criminals that identity theft’s benefits exceed its costs.

The surge in identity theft, and cyber crime more generally, should have us tread carefully as we move forward in digitizing health records. Electronic health records systems run a number of privacy risks and medical identity theft is surely one of them. As our unemployment rates continue to rise, so, too, will the number of uninsured Americans. In turn, we will no doubt see a continued increase in medical identity theft as people who do not qualify for coverage under Medicaid or Medicare will still need surgeries and prescription drugs. Moreover, as the ACLU recently wrote to Congress, employers who obtain medical records inappropriately might reject a job candidate who appears expensive to insure. Data brokers might buy medical and pharmaceutical records and sell them to marketers. And unscrupulous employees might snoop on the health of their colleagues. Protecting the privacy of patients is a tough, but not impossible, task. Effective solutions (which I will blog about in upcoming posts) must enlist law, technology, and social norms to protect individuals from the host of privacy problems that e-health records systems raises.

Consumers should note that the emerging market for genetic information is largely unregulated. As this week’s CQ Weekly reports, the FDA usually does not review the tests for approval and has no explicit regulations on what companies can [...]]]> As Deven blogged about yesterday, the Personal Genome Project (PGP) hopes to convince 100,000 people to post their genetic information online in an effort to widen the available data set and expertise for research. (Although the current participants in the study are entrepreneurs in the biomedical industry and academics, 5,000 other individuals have signed on to take part in it). Businesses also are getting into the act, providing information to consumers about possible medical risks encoded in their DNA for as little as $399.

Consumers should note that the emerging market for genetic information is largely unregulated. As this week’s CQ Weekly reports, the FDA usually does not review the tests for approval and has no explicit regulations on what companies can tell consumers about their likelihood of disease. Companies also are not obliged to adhere to the privacy protections of HIPAA because they fall outside the definition of health care providers, even though some say that they follow HIPAA’s privacy guidelines. Federal law prohibiting discrimination on the basis of genetic data applies only to employers and health insurers, not life insurance companies. On the state level, limited protections exist regarding the collection and use of genetic information to consumers purchasing information about their DNA. State laws regulating genetic testing typically do not apply to genetic information providers. Like federal law, they prohibit employers and insurers from discriminating against individuals on the basis of their genetic information. A number of states, however, do require explicit consent for sample storage, or demand the destruction of samples after the purpose of their collection has been achieved. But, on the main, state laws addressing DNA collection and banking activities do not generally apply to companies that sell genetic testing services directly to consumers.

In an article for the New England Journal of Medicine, Patricia Roche and George Annas explain that absent a comprehensive federal law addressing genetic privacy “those who do relinquish their DNA, assuming that they have control over its uses, may discover that they have given it all away.” As Deven warns, consumers signing up for studies or purchasing information about their genetic data may not appreciate the practical and psychological risks of disclosing genetic information, both for themselves and their families. Although Roche and Annas urge individuals to only “utilize testing services that guarantee to destroy the DNA sample on completion of the specified test,” many may not do so as the popularity of the PGP suggests.

What would possess Brin to disclose this sensitive personal information? The simple answer may lie in a crass attempt at advertising for his wife’s company, 23andMe, a biotechnology start-up that maps DNA for customers. In his blog post, Brin reported that 23andMe identified his gene mutation, a discovery that will allow him to “adjust his life to reduce” his chance of developing Parkinson’s and “support research into this disease” long before [...]]]> According to the New York Times, Google co-founder Sergey Brin, in a recent blog post, shared the news that he has a gene mutation that increases his likelihood of developing Parkinson’s disease. According to Brin, studies show that his likelihood of developing the disease “in his lifetime may be 20% to 80%.”

What would possess Brin to disclose this sensitive personal information? The simple answer may lie in a crass attempt at advertising for his wife’s company, 23andMe, a biotechnology start-up that maps DNA for customers. In his blog post, Brin reported that 23andMe identified his gene mutation, a discovery that will allow him to “adjust his life to reduce” his chance of developing Parkinson’s and “support research into this disease” long before it affects him. (At a party, Brin told a New York Times reporter that he thought disclosing one’s DNA code to the public would be helpful to attract input from doctors who could suggest treatments, in a sort of open-source model). But for anyone else–a mere mortal who does not have the luxury of his wealth–such a disclosure would be foolish. Employers would no doubt view a person differently, even though the increased chance of developing the disease based on the gene mutation is so uncertain. His disclosure also sends the wrong signal to the easily influenced–one hopes that we do not see people announcing their potential diseases on Facebook or MySpace.

An untold number of people have been rejected for medical coverage for a reason they never could have guessed: Insurance companies are using huge, commercially available prescription databases to screen out applicants based on their drug purchases.

Privacy and consumer advocates warn that the information can easily be misinterpreted or knowingly misused. At a minimum, the practice is adding another layer of anxiety to a marketplace that many consumers [...]]]> We already know that the individual health insurance market (which includes about 18 million Americans) does a terrific job of rescinding the policies of those who get sick, if they happen to have made a small error on their original application. Now insurers are prying into pharmaceutical records to figure out whom to deny coverage to:

An untold number of people have been rejected for medical coverage for a reason they never could have guessed: Insurance companies are using huge, commercially available prescription databases to screen out applicants based on their drug purchases.

Privacy and consumer advocates warn that the information can easily be misinterpreted or knowingly misused. At a minimum, the practice is adding another layer of anxiety to a marketplace that many consumers already find baffling. “It’s making it harder to find insurance for people,” says Jay Horowitz, an independent insurance agent . . .

I wonder if efforts to stop this would count as the type of horrible regulation that Richard Epstein and David Hyman decry? Perhaps individuals looking for insurance can take some small solace in the fact that the discrimination occurs without respect to political ideology; for example, both Elizabeth Edwards and John McCain would probably be unable to find coverage in a world dominated by individual insurance.

Matthew Weait, who has written brilliantly on the subject, made the most important point to me off line: opposition to criminalization must fundamentally reject criminal law as the appropriate lens for judging sexual behavior. He criticizes a couple of aspects of my discussion of the Swiss case:

•Continental Europe of course draws heavily (directly and indirectly) from Roman law principles, and so sees nothing strange about imposing general / positive legal obligations on people – in contrast to common law jurisdictions, where the duty relationship [...]]]> The video posted by Kaimi is pretty funny, but it makes the point negatively as well as positively. The negotiation is extensive, involving everything from sexual positions to meeting the parents, but there is still no mention of STDs or protection.

Matthew Weait, who has written brilliantly on the subject, made the most important point to me off line: opposition to criminalization must fundamentally reject criminal law as the appropriate lens for judging sexual behavior. He criticizes a couple of aspects of my discussion of the Swiss case:

•Continental Europe of course draws heavily (directly and indirectly) from Roman law principles, and so sees nothing strange about imposing general / positive legal obligations on people – in contrast to common law jurisdictions, where the duty relationship is (relatively) narrowly circumscribed.

•You say that “smart” sex is not a fair standard to apply to A or X … I agree, but a difficult one to argue in the courts perhaps. When it comes to the criminal use of negligence in English law (as in gross negligence manslaughter) the newly qualified driver is held to the standard of the competent and experienced one, the rooky surgeon to the surgeon who’s been doing it for twenty years. And I don’t see in principle, even though we are talking in a criminal context here, why the person upon whom the duty is seen to fall (i.e. the person with conscious knowledge that there is a higher risk of being positive, albeit no certain knowledge because no testing has happened) wouldn’t be seen as being in just the same position. It all comes down to developing strong policy argument against legal liability, I think, since the law has a habit of laying these little logical traps – once you start framing the argument within a legal framework the law has a habit of winning …

I agree, and that’s why the quest for the “right” rule suggested by Shane Hartman is legally logical but socially hopeless. When law wins, it means lawyers in the bedroom. Where’s Gunther Teubner when you need him?

Privacy is one of the most important concepts of our time, yet it is also one of the most elusive. As rapidly changing technology makes information more and more available, scholars, activists, and policymakers have struggled to define privacy, with many conceding that the task is virtually [...]]]> I am very happy to announce the publication of my new book, UNDERSTANDING PRIVACY (Harvard University Press, May 2008). There has been a longstanding struggle to understand what “privacy” means and why it is valuable. Professor Arthur Miller once wrote that privacy is “exasperatingly vague and evanescent.” In this book, I aim to develop a clear and accessible theory of privacy, one that will provide useful guidance for law and policy. From the book jacket:

Privacy is one of the most important concepts of our time, yet it is also one of the most elusive. As rapidly changing technology makes information more and more available, scholars, activists, and policymakers have struggled to define privacy, with many conceding that the task is virtually impossible.

In this concise and lucid book, Daniel J. Solove offers a comprehensive overview of the difficulties involved in discussions of privacy and ultimately provides a provocative resolution. He argues that no single definition can be workable, but rather that there are multiple forms of privacy, related to one another by family resemblances. His theory bridges cultural differences and addresses historical changes in views on privacy. Drawing on a broad array of interdisciplinary sources, Solove sets forth a framework for understanding privacy that provides clear, practical guidance for engaging with relevant issues.

Understanding Privacy will be an essential introduction to long-standing debates and an invaluable resource for crafting laws and policies about surveillance, data mining, identity theft, state involvement in reproductive and marital decisions, and other pressing contemporary matters concerning privacy.

Here’s a brief summary of Understanding Privacy. Chapter 1 (available on SSRN) introduces the basic ideas of the book. Chapter 2 builds upon my article Conceptualizing Privacy, 90 Cal. L. Rev. 1087 (2002), surveying and critiquing existing theories of privacy. Chapter 3 contains an extensive discussion (mostly new material) explaining why I chose the approach toward theorizing privacy that I did, and why I rejected many other potential alternatives. It examines how a theory of privacy should account for cultural and historical variation yet avoid being too local in perspective. This chapter also explores why a theory of privacy should avoid being too general or too contextual. I draw significantly from historical examples to illustrate my points. I also discuss why a theory of privacy shouldn’t focus on the nature of the information, the individual’s preferences, or reasonable expectations of privacy. Chapter 4 consists of new material discussing the value of privacy. Chapter 5 builds on my article, A Taxonomy of Privacy, 154 U. Pa. L.. Rev. 477 (2006). I’ve updated the taxonomy in the book, and I’ve added a lot of new material about how my theory of privacy interfaces not only with US law, but with the privacy law of many other countries. Finally, Chapter 6 consists of new material exploring the consequences and applications of my theory and examining the nature of privacy harms.

Understanding Privacy is much broader than The Digital Person and The Future of Reputation. Whereas these other two books examined specific privacy problems, Understanding Privacy is a general theory of privacy, and I hope it will be relevant and useful in a wide range of issues and debates.

For more information about the book, please visit its website.

“If you could find the gene which determines sexuality and a woman decides she doesn’t want a homosexual child, well, let her.” In the same interview, [Watson] said, “We already accept that most couples don’t want a Down child. You would have to be crazy to say you wanted one, because that child has no future.”

Gerson then quotes Yuval Levin on a tension within liberalism that I’ve noted on this blog–between egalitarianism and libertarianism:

Science looks at human beings in their animal aspects. As animals, we are not always equal. It is precisely in the ways we [...]]]> Michael Gerson has an interesting editorial in the Washington Post on the Eugenics Temptation–of the left. He quotes the following statement of James Watson on embryo selection:

“If you could find the gene which determines sexuality and a woman decides she doesn’t want a homosexual child, well, let her.” In the same interview, [Watson] said, “We already accept that most couples don’t want a Down child. You would have to be crazy to say you wanted one, because that child has no future.”

Gerson then quotes Yuval Levin on a tension within liberalism that I’ve noted on this blog–between egalitarianism and libertarianism:

Science looks at human beings in their animal aspects. As animals, we are not always equal. It is precisely in the ways we are not simply animals that we are equal. So science, left to itself, poses a serious challenge to egalitarianism. The left . . . .finds itself increasingly disarmed against this challenge, as it grows increasingly uncomfortable with the necessarily transcendent basis of human equality. Part of the case for egalitarianism relies on the assertion of something beyond our animal nature crudely understood, and of a standard science alone will not provide. Defending equality requires tools the left used to possess but seems to have less and less of.

Gerson, whom David Frum “ranks among the most brilliant and most influential presidential speechwriters in decades,” has put his finger on what is probably the most dangerous tension in “left” ideology today. Positional arms races for designer babies dovetail with an ethos that says that choice in reproductive matters must be absolute. As I stated five years ago in an article, egalitarian principles should check this tide.

However, Gerson ought to also admit the “right”’s partial responsibility for driving the appeal of such arms races. Libertarianism is as much an aspect of the Republican as the Democratic party, and its tendency to reject all arguments for regulation is probably a stronger political force than the left’s alleged rejection of a “necessarily transcendent basis of human equality.” The “left” itself is diverse, and one need only read the work of Michael Perry, or basic documents in Catholic social thought, to see a robust program of social solidarity wedded to an ideal of equality grounded in natural law.

Finally, let’s consider why in America a family with a Down’s syndrome child (or one with any disability) might think it “has no future.” Why do we leave so much of children’s health care up to the chance that their parents will be able to afford insurance? Why do we as a society cling to the ideal of permitting families to go bankrupt while providing health care for their children? Gerson states:

Progressives, at their best, have a special concern for the different, the struggling and the weak. When it comes to eugenics, they face not only a tension but a choice — and they should choose human equality over the pursuit of human perfection.

Progressives might respond that conservatives, at their best, realize that our ideals can only survive when they are embedded in a culture that supports them. Gerson may be hard-pressed to defend the transcendent value of every individual life while promoting a neo-Nietzschean economic policy that routs ever more money to ubermenschen at the top of the income scale while cutting Medicaid funding. When it comes to economic policy, he faces not only a tension but a choice — and he should choose human equality over the anti-tax, anti-spending dogma that has denied so many Americans basic economic security.

At National Jewish Medical and Research Center in Denver, where he was transferred from Grady, he received hate mail and death threats from people whom he said “turned on the news and saw this greedy, self-absorbed attorney.” At a congressional hearing, a representative referred to Speaker as a “walking biological weapon.” . . . .

Speaker was released from National Jewish on July 26, his treatment successfully completed. He takes 11 pills every morning at 8 a.m., supervised by public [...]]]> The WSJ blog points to this interesting update about the TB patient who was quarantined for having a highly-resistant strain of TB. I blogged about the case here and here. According to the news story, times aren’t very good from Andrew Speaker, the TB patient:

At National Jewish Medical and Research Center in Denver, where he was transferred from Grady, he received hate mail and death threats from people whom he said “turned on the news and saw this greedy, self-absorbed attorney.” At a congressional hearing, a representative referred to Speaker as a “walking biological weapon.” . . . .

Speaker was released from National Jewish on July 26, his treatment successfully completed. He takes 11 pills every morning at 8 a.m., supervised by public health officials who drop by on their way to work — a standard regimen he will follow for the next two years to make sure the TB has been fully eradicated. He’s in excellent health and has gone back to his previous routines, unmasked and unquarantined.

But his personal injury law practice is floundering, and his life is far from normal. His existing clients have stuck with him, but there have been no new clients since the ordeal began. The perception that he’s a selfish jerk who thought nothing of exposing others to a deadly disease lingers.

“The CDC told everyone that I only care about myself,” he said. “They made statements they knew were wrong. They intentionally went after my family and our character.” . . . .

His father’s practice has also suffered. Theodore A. Speaker, also a lawyer, has based his practice for 25 years on referrals from providers of prepaid legal services. Speaker said those companies stopped referring clients to his father after news of his TB broke because potential clients were afraid they’d catch TB if they came to Ted Speaker’s office, which he shared with his son.

Speaker is also being sued in Canada for $1.3 million by eight passengers on his flight from Prague to Montreal for potentially exposing them to TB plus pain and suffering. The brother of one passenger is also suing.

At the end of the article is this interesting tidbit:

Does Speaker have any plans to sue the CDC?

“They’re a federal agency. They have immunity,” he said in resignation. “It’s easier to think this guy is a jerk than that a government agency got together to intentionally misinform the public. That’s much harder to believe.”

What?

According to the news reports, Speaker’s name was disclosed by government medical officials (probably CDC officials trying to cover their behinds for screwing up so badly). Medical officials have legal and ethical duties to maintain confidentiality. There’s also a potential Bivens action for a violation of the constitutional right to information privacy. See Whalen v. Roe, 429 U.S. 589 (1977). Most circuits recognize the constitutional right to information privacy, and it is violated by unjustified disclosures of personal information, especially medical data. For example, in Doe v. Borough of Barrington, 729 F. Supp. 376 (D.N.J. 1990), the court held that the police could be liable for disclosing to a person’s neighbor that the person was HIV positive. There are many other cases on point.

The short of it is that Speaker does have a case against the CDC if he can prove that CDC officials leaked his name and/or other medical information. It is clearly established that government officials have a duty of confidentiality of medical data under the constitutional right to information privacy in most circuits, so any qualified immunity claims would not bar liability (qualified immunity applies if the constitutional violation is not clearly established).

I sure think that there might be a case here.

These cases all involve laws passed by states concerned [...]]]> There are a number of really interesting cases pending in the First Circuit and its lower federal courts that raise questions of confidentiality and free speech in the context of the commercial trade in prescription drug information. In New Hampshire, Maine, and Vermont, data mining companies have raised First Amendment challenges to state laws that restrict the ability of pharmacists to sell information about which doctors prescribed which drugs. More information about these cases from the AP can be found here. I’ve written about this phenomenon here, arguing that there are sound doctrinal, jurisprudential, and policy reasons to reject any idea that regulation of the commercial data trade raises any serious First Amendment problems.

These cases all involve laws passed by states concerned about the sale of prescription information to data mining companies, who buy information about which doctors prescribe which drugs from pharmacies and then massage the data for use in marketing and other industry purposes. The laws vary in their particulars, but basically forbid or regulate the ability of pharmacies to sell the information. In April, a federal district court in the New Hampshire case struck down New Hampshire’s law under the Central Hudson test as violating the companies’ free speech rights. The First Amendment argument can be boiled down as follows: because the laws stop pharmacies from telling other people about their customers, they violate the pharmacy companies’ free speech rights and are therefore unconstitutional.

I think this is a silly argument, as I explain after the jump.

This is an unconvincing argument for a number of reasons. At the level of doctrine, the commercial trade in personal information isn’t the kind of free speech claim that the First Amendment is (or should be) concerned about. Lots of things that are done with words aren’t protected by the First Amendment – words are used to form contracts, to engage in insider trading, and to hire hitmen – but laws regulating such activities aren’t thought to implicate the First Amendment. Nor do we think of the attorney-client privilege as constituting a speech restriction on the ability of lawyers to inform the public with newsworthy disclosures about their clients. The boundaries of the First Amendment are fuzzy, but they tend to exclude purely commercial activity and they tend to exclude professional duties of confidentiality.

There are good reasons for this exclusion that involve why we do (and don’t) protect constitutional rights in the political and commercial areas. The data mining companies in this case essentially argue that the Constitution prohibits the government from interfering with their liberty of speech. As such, there are some striking parallels between these arguments and old “liberty of contract” claims from the Lochner era. But modern constitutionalism rests upon the premise that commercial activity can be freely regulated by the government, while only political and civil liberties justify heightened scrutiny of legislative rules. This can be a hard line to draw, but not in these cases, as there are no fundamental constitutional liberties threatened by the prescriber confidentiality statutes. The pharmacies want to sell information. The drug companies want to buy the information so that they market drugs to physicians more effectively. And that’s about it. The regulations don’t even cover advertising (which is protected First Amendment speech). So there is no reason to invoke the Central Hudson apparatus to assess these schemes.

What’s at stake in these cases is something really important, but it’s not the spurious free speech claims of the drug companies. It’s the ability of democratic legislatures and ultimately the people they represent to set the defining parameters for commercial uses of information. What’s at stake is the ability, in a world where information transfers are becoming ever more important and more lucrative, to set a sensible information policy. Treating these issues as involving the First Amendment turns the First Amendment into little more than a right to make money in the data trade. The First Amendment is of course very important – it safeguards our political, philosophical, and artistic expression, and protects our ability to debate matters of public concern. But it should not be interpreted to include a Lochner-style right to transfer databases free of government regulation. Hopefully, the First Circuit will realize this on appeal in the New Hampshire case, putting the power to set information policy in the legislatures rather than in the Courts, and preserving judicial review for First Amendment claims that involve more substantial issues.

So it is with this morning’s thumbsucker [reg/$$ req'd] about the ridiculous overzealousness and misunderstanding of HIPAA by health care professionals. HIPAA is the Clinton-era law that was principally concerned with making health insurance portable, but has become better known for its privacy-protection requirements. (In fact, the statute largely delegated development of all the details of the privacy provisions to the Department of Health and Human Services, which engaged in a lengthy and torturous rulemaking process.) As recounted at length in the Times piece, many employees at hospitals, doctors’ offices, and insurance companies use the statute’s [...]]]> This morning, vindication! When a long New York Times investigative piece says exactly what you have been saying for a long time, it feels very good.

So it is with this morning’s thumbsucker [reg/$$ req'd] about the ridiculous overzealousness and misunderstanding of HIPAA by health care professionals. HIPAA is the Clinton-era law that was principally concerned with making health insurance portable, but has become better known for its privacy-protection requirements. (In fact, the statute largely delegated development of all the details of the privacy provisions to the Department of Health and Human Services, which engaged in a lengthy and torturous rulemaking process.) As recounted at length in the Times piece, many employees at hospitals, doctors’ offices, and insurance companies use the statute’s supposed requirements as a shield for bureaucratic inflexibility in releasing information, even to close family members of an incapacitated patient. I have had numerous encounters with just such ill-informed stubbornness myself, and I find it maddening. (You can only imagine some of the arguments I have had with telephone receptionists who blindly invoke HIPAA.)

In addition to the direct trouble it causes for patients and their family, I fear the continued misuse of HIPAA undermines support for all privacy regulation. This is the only direct contact many people will ever have with privacy law in action. Who could blame them if they conclude that legal privacy restrictions are for the birds? Disregard for patient privacy was widespread before HIPAA, and I have no doubt legal regulation was called for. There have been 27,778 complaints under the law. But those harms are less visible to most of us than the new harm of mindless overprotection.

What’s fascinating is that the excessive caution in response to HIPAA comes against a backdrop of extremely low risk of sanctions. Exclusive enforcement power lies with HHS — the law provides no private right of action. And HHS has never imposed any civil or criminal penalty (although there are three criminal cases ongoing at the moment, those situations are extreme outliers). What explains this risk aversion given the vanishingly small risk of any real penalty?

The article points to one cause: the regulations are long and often vague (though not as bad as some claim); it is always easier to say “no” than to figure out how to say “yes.” HHS must do a better job at presenting plain-English materials. Training of front-line staff — who often have the most public contact — also needs to improve. There are policy changes that could help with these problems, starting with greater effort at HHS.

In addition, I blame the army of consultants who descended on the health care industry after HIPAA passed and exaggerated its complexity to claim that only retention of their high-priced services could ensure compliance. Many offices are still spooked by that sales pitch. Increased clarity from HHS might help here too.

Finally, I agree completely with the HHS official who told the Times,

“Either innocently or purposefully, entities often use this as an excuse. They say ‘Hipaa made me do it’ when, in fact, they chose for other reasons not to make the permitted disclosures.”

I call this last phenomenon “HIPAA-cracy.” You often see the same mindset in dealing with, say, insurance coverage disputes. Inflexibility and unhelpfulness are all too often a part of the modern health care experience. And I’m not sure whether any amount of careful regulatory design can overcome that.

[Cross-posted at Info/Law]