Category: Privacy (Medical)

8

HIPAA-cracy

This morning, vindication! When a long New York Times investigative piece says exactly what you have been saying for a long time, it feels very good.

So it is with this morning’s thumbsucker [reg/$$ req'd] about the ridiculous overzealousness and misunderstanding of HIPAA by health care professionals. HIPAA is the Clinton-era law that was principally concerned with making health insurance portable, but has become better known for its privacy-protection requirements. (In fact, the statute largely delegated development of all the details of the privacy provisions to the Department of Health and Human Services, which engaged in a lengthy and torturous rulemaking process.) As recounted at length in the Times piece, many employees at hospitals, doctors’ offices, and insurance companies use the statute’s supposed requirements as a shield for bureaucratic inflexibility in releasing information, even to close family members of an incapacitated patient. I have had numerous encounters with just such ill-informed stubbornness myself, and I find it maddening. (You can only imagine some of the arguments I have had with telephone receptionists who blindly invoke HIPAA.)

In addition to the direct trouble it causes for patients and their family, I fear the continued misuse of HIPAA undermines support for all privacy regulation. This is the only direct contact many people will ever have with privacy law in action. Who could blame them if they conclude that legal privacy restrictions are for the birds? Disregard for patient privacy was widespread before HIPAA, and I have no doubt legal regulation was called for. There have been 27,778 complaints under the law. But those harms are less visible to most of us than the new harm of mindless overprotection.

What’s fascinating is that the excessive caution in response to HIPAA comes against a backdrop of extremely low risk of sanctions. Exclusive enforcement power lies with HHS — the law provides no private right of action. And HHS has never imposed any civil or criminal penalty (although there are three criminal cases ongoing at the moment, those situations are extreme outliers). What explains this risk aversion given the vanishingly small risk of any real penalty?

Read More

Vanity Taxes vs. Worthless Competitions

vanity.jpgNew Jersey adopted a “vanity tax” in 2004, levied on “any medical procedure performed on [an] individual which is directed at improving [his/her] appearance and which does not meaningfully promote the proper function of the body or prevent or treat illness or disease.” In a critique of the tax, Michael Duel argues that it is sexist and such surgery is frequently nondiscretionary:

Women can either feel inferior, enjoy a lower quality of life, and be rejected by mainstream society, or else suffer the pain and toil of cosmetic surgery to achieve the exact same ideals society uses to reject them.

Cosmetic surgeons have also railed against the tax, unctuously declaiming that it “discriminates against women” because they buy about 86% of the procedures.

NOW President Kim Gandy has a nice response to that canard:

In general, I’m opposed to most things that impact women disproportionately, but disproportionate use isn’t a good measure if a tax is unfair or not. I can’t imagine someone arguing against having a luxury tax on yachts because more of them are bought by men.

State Senator Karen Keiser is uppping the redistributive ante in Washington state, with a plan to earmark vanity tax revenue for health insurance for poor children. As one tax policy analyst claims, “In this anti-tax climate, these user-based, selective tax proposals are more palatable than broader ones.”

Duel also attacks the vanity tax as a matter of tax policy, but I have a feeling he misses its point. . .

Read More

1

Too Much Privacy for the Virginia Tech Shooter?

Marc Fisher, a Washington Post columnist, has a column in the Washington Post complaining about how privacy laws are getting in the way of the investigation into the background of the Virginia Tech Shooter. He writes:

But the Virginia state panel investigating the shootings has already done enough poking around to show that any effort at reform will run straight into a solid wall built out of federal privacy regulations. . . .

The state investigation has been unable so far to get hold of the records that would show how Seung-Hui Cho’s mental problems were dealt with by the university or the state.

Even though Cho is dead, his records remain under lock and key because of a federal privacy law that keeps medical records sealed…forever. In general, privacy rights expire when you do. That’s as it should be–what possible right to privacy can you have when you’re merely a memory?

When the feds were writing new privacy rules a few years ago, the government initially proposed to keep medical records confidential for two years after a person died. But the feds caved to privacy advocates who insisted that releasing such records could hurt living people, for example, if genetic information about the dead person were made public. . . .

The rules are now so wildly slanted toward keeping secrets that hospitals, doctors, mental health clinics, universities and others who deal with people like Cho can pretty much do whatever they want, without any effective public check on their handling of a case. Even after a mass murderer dies, it’s unnecessarily difficult to hold institutions accountable.

Fisher’s op-ed makes it sound as if the law absolutely bars the obtaining of the records. Fisher doesn’t mention any particular laws (he only links to an HHS comment about one rule under HIPAA, but not the rule regulating access to records) or even discuss the standards that the law requires. But if one were to actually look at the law, it becomes clear that Fisher’s gripe doesn’t really exist. Unless I’m missing something, state officials could simply get a court order or subpoena to obtain the records.

The law isn’t “wildly slanted” toward protecting privacy; nor does it erect a “solid wall” that prevents the investigation from getting the records. Nearly all privacy statutes allow government investigatory officials to obtain records with a mere court order or even a subpoena. The HIPAA regulations, for example, allow for the disclosure of health information pursuant to a court order or an “administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or a similar process authorized under law.” 45 C.F.R. 164.512(f). The Family Education Rights and Privacy Act (FERPA) allows officials to obtain school records with a mere “subpoena issued for a law enforcement purpose.” 20 U.S.C. 1232g (b)(1)(a)(J)(ii). Subpoenas are very easy to use. So what’s the big deal here?

2

More on Identifying the TB Patient

I blogged the other day about the inappropriate disclosure of the TB patient’s identity. Over at Chronicles of Dissent, Dissent has an interesting post worth reading about the issue. He quotes Dr. Martin Cetron, Director of Division of Global Migration and Quarantine at CDC, who said: “I don’t think, publicly naming the individual, which we never do, has any advantage in [faciliating contacting individuals at risk of contracting TB from exposure to the patient], since this is not a disease that’s spread by casual interactions with the public.” Dissent writes:

Certainly by now, the patient has been portrayed in a generally unflattering light in the media — as someone who was only concerned about his own needs and desires and who gave little thought to the health of others. Less media attention has been paid to his statements that he was never ordered not to fly, that at the time he left the country, he had not been diagnosed with the dangerous treatment-resistant strain, and that after they contacted him in Europe to inform him, he felt the CDC did not move quickly enough to make arrangements for his safe travel back to the U.S. for treatment — so he made his own arrangements.

Check out the full post for more about the issue.

4

Identifying the TB Patient

tb-patient2.jpgThe other day, I blogged about the TB patient who flew to Europe and back with the knowledge that he had a rare form of TB. The media had been reporting on the case for a while, and the man’s name was not identified until a day or two ago, when a number of stories began including his full name and photograph [one photo is included in this post; I have obscured his face], as well as the name and photographs of the woman he married (including photos from his wedding).

Although I find the man’s conduct to be irresponsible, I don’t think it was appropriate to identify him. I bet that revealing his name will result in threats and attempts at vigilantism, possibly putting him and his family at risk of harm. It will also severely hurt his reputation and perhaps even his career. Some might say that he deserves such consequences, but I believe that the most appropriate sanctions are legal, not extra-legal. I have blogged extensively about my thoughts about such community mob “justice” here.

Was it appropriate for the media to publish his name and photograph? The name and photograph of his wife? I am curious about how his name got leaked. If one of his physicians released it, or if a government official at the CDC or elsewhere released it, he might have a cause of action for breach of confidentiality or public disclosure of private facts.

UPDATE: Dissent (a commenter to my post) points to an AP story that provides an answer to how the man’s identity was revealed. According to the AP:

The tuberculosis patient under the first federal quarantine since 1963 is a 31-year-old personal injury attorney who practices law with his father in Atlanta, a federal law enforcement official said Thursday.

The official, who asked to remain anonymous because he was not authorized to talk about the case, identified the patient as [name]. A medical official in Atlanta also confirmed the patient’s name on condition of anonymity.

Barring facts I’m unaware of, such a disclosure by the government official seems improper and probably illegal. It might well be a violation of the TB patient’s constitutional right to information privacy. The confirmation of the patient’s identity by the medical offical in Atlanta would be a breach of confidentiality. It is surprising that these individuals disclosed the man’s name. They clearly knew better, as the federal official indicated he wasn’t supposed to speak about the case and the medical official requested anonymity. This strikes me as a willful disregard for the law, and I hope that these officials will be punished, let alone successfully sued by the TB patient.

5

DNA Sampling — For Everyone?

dna11a.jpgThe New York Times reports:

The Justice Department is completing rules to allow the collection of DNA from most people arrested or detained by federal authorities, a vast expansion of DNA gathering that will include hundreds of thousands of illegal immigrants, by far the largest group affected.

The new forensic DNA sampling was authorized by Congress in a little-noticed amendment to a January 2006 renewal of the Violence Against Women Act, which provides protections and assistance for victims of sexual crimes. The amendment permits DNA collecting from anyone under criminal arrest by federal authorities, and also from illegal immigrants detained by federal agents. . . .

The goal, justice officials said, is to make the practice of DNA sampling as routine as fingerprinting for anyone detained by federal agents, including illegal immigrants. Until now, federal authorities have taken DNA samples only from convicted felons.

The collection of DNA is now expanded to arrestees, whereas before it was for convicted criminals. Does the fact that it applies to arrestees–people who could be innocent of crimes–change the privacy implications? In the past, I’ve posted about whether there should be a national DNA database for everyone. The arguments made on behalf of the DNA database for arrestees and convicts could readily apply to such a broader DNA database. I wrote:

The benefits of using DNA identification are quite significant, since many people who have been wrongly convicted based on erroneous eye witness testimony (which is very unreliable) have been exonerated with DNA. Adding more DNA profiles will improve the database.

Nevertheless, I am very wary of the power the database gives the government. Since we leave trails of our DNA wherever we go, it might be possible to link particular people to particular places. That’s what is done with crime scenes, but what if the use expanded beyond crime scenes?

For those who are unconcerned about the collection of DNA for arrestees, what if the DNA database contained the DNA of all citizens? After all, if it is beneficial in investigating crime and can be extended to arrestees who are later exonerated, why not take the next step and extend it to everybody? Would this pose a problem?

Hat tip: Deven Desai

13

Online Blacklisting of Medical Malpractice Plaintiffs

stethoscope.jpgIn a disturbing development, websites are emerging to create blacklists of individuals who file medical malpractice claims. According to an article at Law.com:

In 2004, a group of Texas physicians launched DoctorsKnowUs.com. The site listed the names of plaintiffs, attorneys and expert witnesses in medical malpractice cases. That site did not make any distinction between cases that ended in plaintiff verdicts and those that ended in defense verdicts or settlements.

According to the New York Times, a North Texas man had trouble finding a physician for his 18-year old son after his name was posted on the site. He had filed a medical malpractice suit after his wife died from a missed brain tumor, and had won an undisclosed settlement.

DoctorsKnowUs.com was shut down four days after the Times article was published.

A new website to blacklist medical malpractice plaintiffs has emerged, called LitiPages.com. According to the Law.com article:

In the latest effort to enable doctors to shun patients who sue, an offshore company has launched an Internet site that lists the names of plaintiffs who have filed medical malpractice cases in Florida and their attorneys.

The site, LitiPages.com, encourages doctors to consider avoiding patients who are listed in the database, and it strongly encourages plaintiffs who have lost their cases at trial to turn around and sue their plaintiffs attorney. . . .

Unlike the Texas site, LitiPages.com plans to list only plaintiffs who filed cases that ended in a defense verdict, a settlement, or a plaintiff verdict on only one count while other counts were dismissed.

The overwhelming majority of med-mal cases that go to trial result in defense verdicts. A large percentage of claims never go to trial, and many of those result in settlements. Some experts say that it’s not possible to say that cases are “frivolous” just because they don’t result in a plaintiff verdict.

The article also discusses an interesting study about medical malpractice lawsuits:

Read More

2

HIPAA’s Lax Enforcement

hipaa3.gifToday’s Washington Post has an interesting story about how the privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA) are not being enforced:

In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases.

Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records.

The government has “closed” more than 73 percent of the cases — more than 14,000 — either ruling that there was no violation, or allowing health plans, hospitals, doctors’ offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty.

“Our first approach to dealing with any complaint is to work for voluntary compliance. So far it’s worked out pretty well,” said Winston Wilkinson, who heads the Department of Health and Human Services’ Office of Civil Rights, which is in charge of enforcing the law.

While praised by hospitals, insurance plans and doctors, the approach has drawn strong criticism from privacy advocates and some health industry analysts. They say the administration’s decision not to enforce the law more aggressively has not safeguarded sensitive medical records and has made providers and insurers complacent about complying.

The lax enforcement of HIPAA could be addressed if HIPAA were to have a private right of action. Currently, HIPAA doesn’t provide a way for individuals to sue for privacy violations. HIPAA would be more effective with a private right of action, which would prevent enforcement from being stymied whenever an agency isn’t interested in enforcing a law. The Bush Administration has little love for the HIPAA privacy regulations, which it tried to kill when it took over power from the Clinton Administration. Instead of killing HIPAA, the Bush Administration rewrote parts of the regulations, weakening them significantly. And now, the strategy seems to be to let the HIPAA regulations sink into irrelevance.

2

Sex in Kansas

doctor2a.jpgYes, Dorothy, you really can tell your doctor about sex in Kansas. A while ago, I wrote about the Kansas Attorney General’s interpretation of a law prohibiting sex with minors under the age of 16 as requiring doctors to report any sexual activity by people under 16 to the state authorities (here and here).

Recently, a federal district court judge concluded in Aid for Women v. Foulston:

An individual’s right to informational privacy may be implicated when the government compels disclosure of that individual’s personal sexual or health-related information to the government and/or to other third parties. Compelled disclosure may violate an individual’s right to informational privacy unless the disclosure serves a compelling state interest in the least intrusive manner. To determine whether information is of such a personal nature that it demands constitutional protection, the court considers: “1) if the party asserting the right has a legitimate expectation of privacy; 2) if disclosure serves a compelling state interest; and 3) if disclosure can be made in the least intrusive manner.” A “legitimate expectation of privacy,” is based “at least in part, upon the

intimate or otherwise personal nature of the material.” . . .

The Supreme Court and this Circuit have extended to minors the constitutional right to privacy, including the right of informational privacy. However, in a variety of contexts the power of the state to control or regulate the conduct of children has been found to reach beyond the scope of its power over adults. For the narrow issue of whether mandatory reporting of consensual sexual activity of minors violates a minor’s informational privacy rights, the court begins with a three-prong analysis: 1) is there is a legitimate expectation of privacy; 2) does disclosure serve a compelling state interest; and 3) can disclosure be made in the least intrusive manner? The court finds the Kansas reporting statute encompasses these elements. First, the statute recognizes an expectation of privacy in conduct when there is no reason to suspect injury as a result of abuse. Second, the state clearly has a compelling interest in protecting children from abuse, but, as the statute indicates, this interest is limited to circumstances when there is a reason to suspect injury. Thus, a minor’s privacy ends where the state’s interest in protecting the minor begins. Finally, the statute recognizes that privacy should be breached only when injury to the child is reasonably suspected. By its very terms, the statute recognizes an element of privacy in mandatory reporting of unlawful sexual activity of a minor.

As the court concluded above, the statute itself wasn’t a problem. The Kansas AG’s interpretation of the law, however, went too far, and the court enjoined it. According to the court:

Read More

2

Update on the Kansas Teen Sex Medical Records Case

doctor2b.jpgA few days ago, I blogged about a case in Kansas where the Attorney General interpreted a law prohibiting sex with minors under the age of 16 as requiring doctors to report any sexual activity by people under 16 to the state authorities. Recently, the Kansas Supreme Court issued an opinion, Alpha Medical Clinic v. Anderson, strongly limiting the Attorney General’s reporting requirement. Relying in significant part on Whalen v. Roe, 429 U.S. 589 (1977) (discussed in depth in my earlier post), the Kansas Supreme Court reasoned:

It is beyond dispute that the State has a compelling interest in pursuing criminal investigations. . . . And an individual’s right to informational privacy is not necessarily “absolute; rather, it is a conditional right which may be infringed upon a showing of proper governmental interest.” . . . . Also, the fundamental right to obtain a lawful abortion may be regulated as long as the regulation does not constitute an undue burden. . . .

Our evaluation necessarily involves weighing of these competing interests, including the type of information requested, the potential harm in disclosure, the adequacy of safeguards to prevent unauthorized disclosure, the need for access, and statutory mandates or public policy considerations. See Lawall, 307 F.3d at 790 (citing United States v. Westinghouse Elec. Corp., 638 F.2d 570, 578 [3rd Cir. 1980]). . . .

Read More