Category: Privacy (Medical)


NASA v. Nelson: Is There a Constitutional Right to Information Privacy?

The U.S. Supreme Court has just granted cert. on NASA v. Nelson, 512 F.3d 1134 (9th Cir. 2008).  In this case, NASA required employees to undergo background checks and answer questions about very private matters,including “any adverse information” about financial integrity, alcohol and drug abuse, and mental and emotional stability.  Plaintiffs, a group of “low risk” contract employees, sought a preliminary injunction that the investigation violated their constitutional rights.  The U.S. Court of Appeals for the 9th Circuit granted the injunction.

There is a lot at stake in this case, for it potentially involves whether or not a constitutional right exists — the little-known constitutional right to information privacy.  Despite its obscurity, this right is recognized by the vast majority of federal circuit courts and there are scores of decisions involving this right.

Here are the issues cert. was granted on:

1. Whether the government violates a federal contract employee’s constitutional right to informational privacy when it asks in the course of a background investigation whether the employee has received counseling or treatment for illegal drug use that has occurred within the past year, and the employee’s response is used only for employment purposes and is protected under the Privacy Act, 5 U.S.C. 552a.

2. Whether the government violates a federal contract employee’s constitutional right to informational privacy when it asks the employee’s designated references for any adverse information that may have a bearing on the employee’s suitability for employment at a federal facility, the reference’s response is used only for employment purposes, and the information obtained is protected under the Privacy Act, 5 U.S.C. 552a.

The cert. questions are narrowly posed, so there’s hope the Supreme Court will not eliminate the right.  But I see it as a possibility.  Ultimately, I believe the following:

1. The constitutional right to information privacy does (and should) exist.

2. The court’s holding in NASA v. Nelson constitutes a big expansion of the constitutional right to information privacy.  It doesn’t follow from most of the cases interpreting that right.

3. There may be a First Amendment argument to support the plaintiffs.

I will address the first contention in this post, and the other two in a subsequent post.

The constitutional right at issue is a little-known spinoff right to the constitutional right to privacy, most famously declared in Griswold v. Connecticut, 381 U.S. 478 (1965) and Roe v. Wade, 410 U.S. 113 (1973).  In these cases, the Supreme Court recognized that the Constitution protects a “right to privacy” grounded in the First, Third, Fourth, Fifth, and Ninth Amendments.  The Supreme Court issued an extensive line of cases involving the constitutional right to privacy, and these cases have generally involved freedom from government interference in making certain kinds of private decisions about one’s health, contraception, child-rearing, and abortion.

The constitutional right to information privacy emerged in a case called Whalen v. Roe, 429 U.S. 589 (1977). The case involved a government record system of people taking prescriptions for certain medications. Although the government promised that the information was confidential and secure, the plaintiffs feared the possibility of the information leaking out.

Read More


Facebook: Taking Out the Free in Free Expression

As so many warn (and warn to no avail), self-expression on social network sites can be costly.  CBC News recently reported that an employer’s insurance company cut a Quebec employee’s long-term sick leave benefits after seeing photographs on the employee’s Facebook page.  The employee had been on leave from her job at IBM for a year and a half after being diag1211887_on_the_beach_2nosed with major depression.  The employee posted pictures of herself having a good time at a bar on her birthday and enjoying the beach while on vacation.  The insurance company investigated the woman’s Facebook page after she told her insurer about her trip.  The employee explained that her doctor advised her to have fun to combat the depression.  But that apparently did little to convince the insurer that the employee still struggled with depression.  This case demonstrates the problem of de-contextualization in our digital lives.  A strong argument exists that the insurer took pictures out of context when terminating the woman’s benefits.  This is just the kind of privacy problem that Dan Solove so astutely tackles in Understanding Privacy and urges a contextual, pragmatic approach to address it.

Not only do insurers (and employers) hold our Facebook musings against us, but government employers can as well.  As Helen Norton‘s superb article Constraining Public Employee Speech: Government’s Control of its Workers’ Speech to Protect its Own Expression (59 Duke L.J. 1 (2009)) explores, government employees can be fired for off-duty online speech on the grounds that the public would associate the employee’s off-duty expression with the government entity that employed him.  For instance, the Ninth Circuit rejected a First Amendment challenge by a police officer who had been fired for maintaining a sexually explicit website featuring his wife even though the website never referred to law enforcement generally or the plaintiff’s employment specifically.  The court explained: “it can be seriously asked whether a police officer can ever disassociate himself from his powerful public position sufficiently to make his speech (and other activities) entirely unrelated to that position in the eyes of the public and his superiors. . .  . the sleazy activities [of plaintiff and his wife] could not help but undermine [the public's] respect” for the police department.  Given the current state of First Amendment doctrine, it seems possible that government employers could fire employees for participating in Facebook groups with unpopular viewpoints on the grounds that such support would undermines the public’s respect for the particular government employer (the Facebook groups supporting Nazi ideology and Holocaust denial come to mind).  Norton elegantly addresses the value of government speech and that of its employees and, like Solove, prefers a contextual approach that honors First Amendment values and employees’ expressive autonomy.

Hat tip: Raymond Cha


Understanding Privacy in Paperback

Cover 5 medium.jpgI’m pleased to announce that my book, Understanding Privacy, has just come out in paperback from Harvard University Press, with a price that’s much more reasonable and affordable than the hardcover.

Understanding Privacy offers a comprehensive overview of the many difficulties involved in discussions of privacy. Drawing from a broad array of interdisciplinary sources, I set forth a framework for understanding privacy that provides clear practical guidance for engaging with privacy issues.


Reservoirs of Patient Data: Next Generation’s Privacy Problem

1076628_mask_from_venicePatients of rare diseases find that drug companies have little interest in devoting limited R&D budgets to diseases of small populations.  As a result, patients have begun to strike out on their own in the search of cures.  As The New York Times explains, patients increasingly share their medical information (including details about their everday experiences living with a disease) online in the hopes that other similarly-situated patients will do the same.  This would permit interested academic researchers to mine the data for observations about their diseases.  Patients see online communities as offering new ways to transform medical research–especially into rare diseases that elude the current model of large-scale studies of widespread conditions.

Some experts are skeptical, asking how these sites will guarantee patient privacy.  One imagines that these sites will respond to privacy concerns by employing anonymization practices.  For instance, sites might delete personal identifiers like names and social security numbers and remove other potential identifiers, such as names of next of kin or student ID numbers.  This ostensibly permits researchers to use the amassed data without concomitant privacy risks.  But, as Paul Ohm’s important and engrossing new paper Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization argues, technology renders this privacy-protection option obsolete.  Computing advances now permit clever adversaries to reidentify or deanonymize the people hidden in anonymized databases.  This means that datasets that were meant to be kept apart are easily rejoined, allowing sensitive secrets to be  revealed.

Patients may of course be willing to take that risk if their particpation in open-source research leads to cures of rare diseases.  Yet patients also jeopardize their offsprings’ privacy: if medical information can be reidentified with ease and linked with other datasets, a patient’s children may get caught up in that web of re-identification.  This may lead to genetic discrimination in the grown-up child’s life.  Grown-up children may be willing to bear that risk–it is, however, worth considering this possibility when assessing privacy concerns related to such open-source research efforts.


Seeing With Your Tongue: No Really

Not much law here, yet. Researchers have taken theoretical work begun decades ago and developed a “brain port,” a device that uses technology to allow people to reorganize how they process sensory data. In the example below, blind people are able to see images. The device takes visual input, processes it, sends impulses to a pad that sits on someone’s tongue, and then the person is able to see some images. It takes quite a bit of training and in some cases folks have been able to use the device such that they actually re-train the brain and can reduce use of the device. Yes in a sense they have “rewired” their brain. This advance is just cool. The video also explains that the advances in this field trace to Professor Paul Bach-y-Rita who apparently had to overcome a fair amount of resistance in his fields of neurobiology and rehabilitation, because he was challenging many accepted beliefs regarding the way the brain works and more (all hail Kuhn). Will the law become involved in this area? It probably already is insofar as patents and copyright are being used to govern the technology. In addition, as I have noted before, the advances in embedded or sensory enhancing devices raise numerous questions regarding privacy, the ownership of data, bioethics, and research ethics. So welcome to the future and take a look at the video. It really is amazing and wonderful that scientists have made these breakthroughs. At the very least, anyone questioning how basic research can lead to unforeseen benefits should pause after seeing this work.


Maps and Legends

Space the final frontier. These are the voyages of … ah, you know the rest. Exploration and the idea of frontiers seem to capture an important part of the human experience. The possibility of finding something new, of entering uncharted territories excites people. And, although one may want to keep the secret of the Northwest Passage or the Straits of Magellan a secret, sooner or later a map is created to increase the amount of benefit that can be extracted from the discovery. Yet with the world seeming to collapse into one connected place, the role of maps has changed. In short, maps are a new frontier for property and privacy.

As Jacqueline Lipton noted Google Maps has enabled the persistence of race discrimination. Google Maps has also spawned some other curious creations and connections. For example, I wrote about the flap over what is a true IMAX screen and that folks put together a map of IMAX screens with information about the screen size. The H1N1 (aka swine) flu epidemic revealed an interesting dual use for maps. One person created a frequently updated map with information about claimed incidents. I was curious about the source and found that one person at, what else, a bitotech company focused on recombination and disease, was behind the map. In addition, a group called Health Map seeks to offers a map that connects “disparate data sources to achieve a unified and comprehensive view of the current global state of infectious diseases and their effect on human and animal health.” On the light side, Total Film has a feature that uses Google Street view to show 25 favorite film locations.

As seems always to be the case, folks will probably soon argue about who owns what. The more interesting point might be the way maps show the malleability of information. In some hands, maps show fun things like where a film was shot. In other hands, maps provide useful epidemiological information. Yet, certain home owners may not be pleased about having tourists show up to gawk at what had been a quiet abode. Cities, counties, and even states may be upset if lay people assume that suspected or even confirmed outbreaks mean they should create a de facto or quasi-quarantine. Last, knowing where specific racial, religious, and other groups are can all too easily lead to mob behaviors.

The information mill churns. We have to sort it out. Old tools have new impacts. Today maps pose challenges. Tomorrow it will be something else. I am never certain that the law is the best way to manage these changes. Nonetheless, we have to consider what they are and how they function in case the law is asked to do so. On that note, please share any other creative and/or challenging uses of maps of which you are aware.

Last here is a little music for the trip:

Maps And Legends – R.E.M.


Health Tech: CNET Shadows The Economist

507px-gersdorff_-_schadelwundeTeaching Information Privacy is simply fantastic. The law and issues force students to consider torts, contracts, criminal procedure, constitutional law, and more. The health and genetic privacy material alone could easily be a course unto itself. Health care has been a major policy matter for more than a decade, and yet, it has not suffered the usual let’s move on to the next hot topic pattern that specific health matters such as HIV/AIDS and more recently H1N1. One area that is coming is so-called e-health. CNET is hosting a three day series on “Your e-health future.” The series looks at digital health records, Microsoft and Google’s forays into the sector, some fundamentals about e-health, stimulus, and so on. I plan on reading the different parts but based on the bits I’ve scanned, it is a little thin. In contrast, The Economist’s special report “Medicine Goes Digital” from April was stimulating and informative. I highly recommend the series of articles. The basic premise, “The convergence of biology and engineering is turning health care into an information industry,” relates to something I have been working on for a while: the way in which the merging of humans and machines (some call this possibility the singularity) poses problems that relate to intellectual property and privacy in much the same way being online did and continues to pose problems. These changes are coming. The question, and my hope, is that for once the law will be ahead of the curve as technology foments a fundamental change in the way we live.

Image: “Fieldbook of medicine (1517). Treatment of a skull injury. Wood cut work attributed to Hans Wechtlin.”
Source: Wikicommons

License: Public Domain


Lessons from the Identity Trail

lessons-from-the-identity-trail.jpgThere’s a terrific new book of essays about privacy out from Oxford University Press — LESSONS FROM THE IDENTITY TRAIL: ANONYMITY, PRIVACY AND IDENTITY IN A NETWORKED SOCIETY (Oxford University Press 2009). It’s edited by Ian Kerr, Valerie Steeves, and Carole Lucock. The essays are fascinating and are written by a number of very prominent privacy scholars. Highly recommended!

The book is available free for download under a Creative Commons license. One third of the essays are now posted online. The rest will become available in two more stages — on April 22th and May 6th. This is the first book to be published by Oxford University Press under a Creative Commons license.

The book is available on or on our special Concurring Opinions Oxford University Press promo page for 20% off.

Here’s the table of contents:

Read More


Blacklisted from Health Insurance

pills1.jpgFor the millions of people losing their jobs and having to obtain health insurance on their own, they are in for quite some difficulty if they have a pre-existing condition. According to the Miami Herald:

[M]aterial available on the Web shows that people who have specific illnesses or use certain drugs can’t buy coverage.

”This is absolutely the standard way of doing business,” said Santiago Leon, a health insurance broker in Miami. Being denied for preexisting conditions is well known, but when a person sees the usually confidential list of automatic denials for himself, “that’s a eureka moment. That shows you how harsh the system is.” . . . .

Searching the Web, The Miami Herald found underwriting guidelines for Coventry Health Care, which owns Vista; Wellpoint; Assurant Health; and Blue Cross Blue Shield of Nebraska.

Among the health problems that the guides say should be rejected: diabetes, hepatitis C, multiple sclerosis, schizophrenia, quadriplegia, Parkinson’s disease and AIDS/HIV.

For cancer, the key is how patients have been doing in remission. Wellpoint, a national insurer, rejects applicants who have had breast or prostate cancer within the past five years. With other types of cancer, 10 years must have passed. Assurant Health, based in Milwaukee, rejects most patients whose cancer has not been in remission for at least eight years.

Other reasons for automatic denial by various companies: alcohol-related problems of people who have not been abstinent for at least six years, chronic bronchitis, severe migraines, and a cardiac pacemaker installed within the last two years.

Some insurers will automatically reject applicants who are using certain prescription drugs. Wellpoint denies anyone who within the past year has taken Abilify and Zyprexa for mental disorders as well as Neupogen, which is used to treat the side effects of chemotherapy. Vista lists the anticoagulant Warfarin and the pain medication Oxycontin. Both companies list insulin.

The article also discusses how the insurers use database companies to gather data about people’s medical conditions and prescription drug use:

To make sure that applicants are not lying, insurers hire a data-gathering service — Medical Information Bureau, Milliman’s Intelliscript or Ingenix Medpoint.

Intelliscript and Medpoint do computerized searches of a person’s drug use, gleaned from pharmacy benefits managers and other databases.

The difficulty is that if a person has a disease, then it may be nearly impossible for that person to obtain health insurance. My advice: (1) stay employed; (2) don’t get ill. Otherwise, you’re basically out of luck.


Thinking Hard About the Privacy Risks of E-Health Records Systems

835548_internet_fraud.jpgAccording to a Javelin Strategy & Research study, the incidence of identity theft jumped sharply in 2008, up 22% from the prior year. Over 9.9 million Americans fell victim to criminals who used their identifying information to borrow money, empty bank accounts, and other modes of financial impersonation. This is unsurprising news given the current state of our economy: experts predict a sharp rise in cybercrime in 2009 as financial gain from stealing data is increasingly more attractive in times of economic crisis. And if the economic downturn isn’t enough incentive, the difficulty and low incentives to catch identity thieves certainly suggests to criminals that identity theft’s benefits exceed its costs.

The surge in identity theft, and cyber crime more generally, should have us tread carefully as we move forward in digitizing health records. Electronic health records systems run a number of privacy risks and medical identity theft is surely one of them. As our unemployment rates continue to rise, so, too, will the number of uninsured Americans. In turn, we will no doubt see a continued increase in medical identity theft as people who do not qualify for coverage under Medicaid or Medicare will still need surgeries and prescription drugs. Moreover, as the ACLU recently wrote to Congress, employers who obtain medical records inappropriately might reject a job candidate who appears expensive to insure. Data brokers might buy medical and pharmaceutical records and sell them to marketers. And unscrupulous employees might snoop on the health of their colleagues. Protecting the privacy of patients is a tough, but not impossible, task. Effective solutions (which I will blog about in upcoming posts) must enlist law, technology, and social norms to protect individuals from the host of privacy problems that e-health records systems raises.