Who is Responsible? The Criminalization of HIV Transmission

You may have thought that HIV is a disease, but we are seeing a serious resurgence of the idea that HIV transmission is a crime. Sure it is important to promote basic knowledge, safe sex, testing and care, but when people actually infect other people – so goes the argument – it’s time to call in the police. Criminalization has been an off-and=on issue in the US for twenty years, but the rest of the world seems to be seeing a new surge. Close on a dozen countries in West Africa have added new statutes on HIV exposure in the past two years, and there have been high-profile prosecutions in countries as different as Britain and Singapore. (For an excellent analysis of the British cases, see the book by Professor Mathew Weait; for for good coverage and analysis of the cases, see Edwin J. Bernard's blog).

Over the next few weeks, I’ll be blogging on this issue as part of my participation in the international AIDS conference in Mexico City, August 2-7. I’ll be going over the arguments against criminalization and describing the activities around the issue at the conference. For now, though, I am going to show how criminalization plays out by telling you about a very interesting decision handed down last month by the Swiss Federal Court. It is, as far as I know, the first case in which a person who did not have actual knowledge of his HIV status has been found guilty of a transmission crime. Read on…

The Story

Mr. A_______ was an “educated, cosmopolitan and experienced” gentleman who divided his time between Switzerland and Spain. During the Spring and Summer of 2002, he had unprotected sex on a number of occasions with Ms. X_______ .

A_______ believed that he was HIV-negative, but had known since 2000 that Ms B_______, a woman with whom he had also had unprotected sex, had been diagnosed with HIV. After learning of B_______’s diagnosis, A_______ had continued to have sex with her but had always used a condom. He apparently never got an HIV test himself, but believed he was not infected because he had never had the acute flu-like symptoms that usually signal seroconversion after infection. He never mentioned the fact that a past partner had tested positive for HIV to X_______. For her part, X_______ testified that she had had other partners before A, but had always practiced safe sex. The case proceeded on the theory that B_______ had infected A_______, and A_______ had then infected X_______, the complainant in the case.

So far, it sounds like a sad tale of modern love, a case of sex with detriments. A lot of passion, a good bit of denial, some stupidity, and too little communication. Routine Sex in the City stuff (for a discussion of how safe sex and STDs were dealt with on the famous show, click here.) Sex in the world, I should say, because this is pretty much the way HIV gets spread: people who know they have had unprotected sex in the past with someone whose infection they cannot rule out have sex with new people whose HIV infection they cannot rule out. Most people most of the time are lucky, particularly if they live somewhere where the overall prevalence is low and those who have HIV can get treatment, which according to another branch of the Swiss government actually renders people non-infectious. What we’d like to see happen at moments like this is that both parties recognize the risk and take precautions until such time as they can be reasonably certain that neither of them is infected. Public health interventions spread that message and try to give people the condoms, skills and confidence to practice safe sex. What it comes down to, though, is that “safe sex” really should be called “smart sex.” That, alas, makes “safe sex” a euphemism for an oxymoron, because there is not much evidence that smart is a big part of human sexual behavior. People will usually do their best, but sometimes the A_____s and X_____s of the world will be too complacent about the possibility that a guy who looks and feels great might just have HIV.

The Decision

The Swiss Federal Court saw a crime, upholding A’s conviction on charges of negligent infliction of bodily harm and negligent transmission of a deadly disease – and his nine month prison sentence. Two aspects of the court’s judgment are of particular interest: how the court transforms public health advice on safe sex into binding rules of sexual conduct, and how the victim’s failure to follow the rules does not prevent the onus of criminal responsibility being placed on the defendant.

First, the court adopted as the standard of care for criminal law purposes the Swiss health agency’s safe sex guidelines:

The measure of care to be observed in connection with the transmission risk of HIV is established by the recommendations of the Federal Office of Public Health (so-called safer sex rules). They indicate that protected sex with condoms is sufficient protection against HIV infection. Outside loyal partnerships, safer sex is always recommended, and is recommended within loyal partnerships if one of the partners is possibly infected and cannot rule out HIV infection with reasonable certainty. Reasonable certainty is a negative HIV test after three months (serological window) since the last risky encounter, including any sexual act that is not considered safer sex.

A______ happened to know that a past partner was HIV positive, but he could have been guilty even without that. If a person has had unprotected sex with anyone whose sexual history he does not know, the court declared, he “is obliged to renounce unprotected sex as long as he cannot reasonable exclude the possibility of his own HIV infection.” You’d think that this might have some implications for A’s defense, since X had also had other casual partners and, though she insisted she had always used condoms, even the court was dubious and in any event the protection rubbers afford is not complete. The court dismissed the possibility that X was contributorily negligent. Yes, she could have insisted upon condom use with A_______(as required by those “safer sex rules”), but failure to do so was no default. The decisive point was that “only [A] knew that he had had unprotected sex with the HIV-infected B.________. He never informed the complainant. Likewise, she did not know that he had failed to take an HIV test and despite the information from B.________ continued to have unprotected sex apparently unconcerned about the consequences his behavior could have.”

The court’s finding of criminal negligence on the part of A was premised on the safer sex rules and related public health efforts:

Because of the government campaigns for AIDS prevention, it must be considered to be generally known that unprotected sexual intercourse with unknown or changing sexual partners brings with it a significantly increased risk of infection and the obligation to take appropriate protective measures (use of condoms). In risky behavior these protection measures are required of all, not least of an educated, cosmopolitan and experienced person such as the respondent.

Yet X, apparently also a well-traveled and sophisticated person, was not at fault for failing to practice safer sex:

It cannot be accepted, and we will not hold, that [X] had the knowledge – particularly the knowledge of the respondent’s earlier risky contact with B_______ -- that would have been necessary to make an informed choice to engage in unprotected sex.

The court was, in my view, quite right about X. She could have figured that A might well have a risky past, since he certainly had a risky present with her, but that would have been smart sex and that is just too far from normal human behavior to constitute a fair standard for criminal law purposes. The mistake was applying that standard to the even more clueless A_______.

The decision also affirmed a civil judgment against A_____. Although I doubt that tort can play a useful role in HIV prevention (for many of the same reasons criminal law cannot), nonetheless my reaction to the court’s reasoning in its civil guise is entirely different than my reaction to its criminal enforcement. Negligence is about ordinarily human carelessness; there is certainly an element of moral blame, but it is minimal, and as Holmes famously explained, we often enforce standards in tort that we realize many of us will fail to meet a lot of the time. Most of us are lucky enough that no harm follows our carelessness. The unlucky are required to compensate their even more unfortunate victim, whose own negligence may be taken into account in the final reckoning. The sanctimony and stigma of criminal sanctions is, sensibly, absent.

More on this over the next three weeks.

The case, X v A, 6B_235/2007 /hum, is available in German on the court’s website. I’ve posted separately my translation of the key sections of the decision on this blog.

Posted by Scott Burris at 03:07 PM | Comments (0) | TrackBack

My New Book, Understanding Privacy

I am very happy to announce the publication of my new book, UNDERSTANDING PRIVACY (Harvard University Press, May 2008). There has been a longstanding struggle to understand what "privacy" means and why it is valuable. Professor Arthur Miller once wrote that privacy is "exasperatingly vague and evanescent." In this book, I aim to develop a clear and accessible theory of privacy, one that will provide useful guidance for law and policy. From the book jacket:

Privacy is one of the most important concepts of our time, yet it is also one of the most elusive. As rapidly changing technology makes information more and more available, scholars, activists, and policymakers have struggled to define privacy, with many conceding that the task is virtually impossible.

In this concise and lucid book, Daniel J. Solove offers a comprehensive overview of the difficulties involved in discussions of privacy and ultimately provides a provocative resolution. He argues that no single definition can be workable, but rather that there are multiple forms of privacy, related to one another by family resemblances. His theory bridges cultural differences and addresses historical changes in views on privacy. Drawing on a broad array of interdisciplinary sources, Solove sets forth a framework for understanding privacy that provides clear, practical guidance for engaging with relevant issues.

Understanding Privacy will be an essential introduction to long-standing debates and an invaluable resource for crafting laws and policies about surveillance, data mining, identity theft, state involvement in reproductive and marital decisions, and other pressing contemporary matters concerning privacy.

Here's a brief summary of Understanding Privacy. Chapter 1 (available on SSRN) introduces the basic ideas of the book. Chapter 2 builds upon my article Conceptualizing Privacy, 90 Cal. L. Rev. 1087 (2002), surveying and critiquing existing theories of privacy. Chapter 3 contains an extensive discussion (mostly new material) explaining why I chose the approach toward theorizing privacy that I did, and why I rejected many other potential alternatives. It examines how a theory of privacy should account for cultural and historical variation yet avoid being too local in perspective. This chapter also explores why a theory of privacy should avoid being too general or too contextual. I draw significantly from historical examples to illustrate my points. I also discuss why a theory of privacy shouldn't focus on the nature of the information, the individual's preferences, or reasonable expectations of privacy. Chapter 4 consists of new material discussing the value of privacy. Chapter 5 builds on my article, A Taxonomy of Privacy, 154 U. Pa. L.. Rev. 477 (2006). I've updated the taxonomy in the book, and I've added a lot of new material about how my theory of privacy interfaces not only with US law, but with the privacy law of many other countries. Finally, Chapter 6 consists of new material exploring the consequences and applications of my theory and examining the nature of privacy harms.

Understanding Privacy is much broader than The Digital Person and The Future of Reputation. Whereas these other two books examined specific privacy problems, Understanding Privacy is a general theory of privacy, and I hope it will be relevant and useful in a wide range of issues and debates.

For more information about the book, please visit its website.

Posted by Daniel J. Solove at 12:03 AM | Comments (5) | TrackBack

Eugenics Problems, Left and Right

Michael Gerson has an interesting editorial in the Washington Post on the Eugenics Temptation--of the left. He quotes the following statement of James Watson on embryo selection:

"If you could find the gene which determines sexuality and a woman decides she doesn't want a homosexual child, well, let her." In the same interview, [Watson] said, "We already accept that most couples don't want a Down child. You would have to be crazy to say you wanted one, because that child has no future."

Gerson then quotes Yuval Levin on a tension within liberalism that I've noted on this blog--between egalitarianism and libertarianism:

Science looks at human beings in their animal aspects. As animals, we are not always equal. It is precisely in the ways we are not simply animals that we are equal. So science, left to itself, poses a serious challenge to egalitarianism. The left . . . .finds itself increasingly disarmed against this challenge, as it grows increasingly uncomfortable with the necessarily transcendent basis of human equality. Part of the case for egalitarianism relies on the assertion of something beyond our animal nature crudely understood, and of a standard science alone will not provide. Defending equality requires tools the left used to possess but seems to have less and less of.

Gerson, whom David Frum "ranks among the most brilliant and most influential presidential speechwriters in decades," has put his finger on what is probably the most dangerous tension in "left" ideology today. Positional arms races for designer babies dovetail with an ethos that says that choice in reproductive matters must be absolute. As I stated five years ago in an article, egalitarian principles should check this tide.

However, Gerson ought to also admit the "right"'s partial responsibility for driving the appeal of such arms races. Libertarianism is as much an aspect of the Republican as the Democratic party, and its tendency to reject all arguments for regulation is probably a stronger political force than the left's alleged rejection of a "necessarily transcendent basis of human equality." The "left" itself is diverse, and one need only read the work of Michael Perry, or basic documents in Catholic social thought, to see a robust program of social solidarity wedded to an ideal of equality grounded in natural law.

Finally, let's consider why in America a family with a Down's syndrome child (or one with any disability) might think it "has no future." Why do we leave so much of children's health care up to the chance that their parents will be able to afford insurance? Why do we as a society cling to the ideal of permitting families to go bankrupt while providing health care for their children? Gerson states:

Progressives, at their best, have a special concern for the different, the struggling and the weak. When it comes to eugenics, they face not only a tension but a choice -- and they should choose human equality over the pursuit of human perfection.

Progressives might respond that conservatives, at their best, realize that our ideals can only survive when they are embedded in a culture that supports them. Gerson may be hard-pressed to defend the transcendent value of every individual life while promoting a neo-Nietzschean economic policy that routs ever more money to ubermenschen at the top of the income scale while cutting Medicaid funding. When it comes to economic policy, he faces not only a tension but a choice -- and he should choose human equality over the anti-tax, anti-spending dogma that has denied so many Americans basic economic security.

Posted by Frank Pasquale at 09:59 AM | Comments (1) | TrackBack

Can the TB Patient Sue the CDC?

The WSJ blog points to this interesting update about the TB patient who was quarantined for having a highly-resistant strain of TB. I blogged about the case here and here. According to the news story, times aren't very good from Andrew Speaker, the TB patient:

At National Jewish Medical and Research Center in Denver, where he was transferred from Grady, he received hate mail and death threats from people whom he said "turned on the news and saw this greedy, self-absorbed attorney." At a congressional hearing, a representative referred to Speaker as a "walking biological weapon." . . . .

Speaker was released from National Jewish on July 26, his treatment successfully completed. He takes 11 pills every morning at 8 a.m., supervised by public health officials who drop by on their way to work -- a standard regimen he will follow for the next two years to make sure the TB has been fully eradicated. He's in excellent health and has gone back to his previous routines, unmasked and unquarantined.

But his personal injury law practice is floundering, and his life is far from normal. His existing clients have stuck with him, but there have been no new clients since the ordeal began. The perception that he's a selfish jerk who thought nothing of exposing others to a deadly disease lingers.

"The CDC told everyone that I only care about myself," he said. "They made statements they knew were wrong. They intentionally went after my family and our character." . . . .

His father's practice has also suffered. Theodore A. Speaker, also a lawyer, has based his practice for 25 years on referrals from providers of prepaid legal services. Speaker said those companies stopped referring clients to his father after news of his TB broke because potential clients were afraid they'd catch TB if they came to Ted Speaker's office, which he shared with his son.

Speaker is also being sued in Canada for $1.3 million by eight passengers on his flight from Prague to Montreal for potentially exposing them to TB plus pain and suffering. The brother of one passenger is also suing.

At the end of the article is this interesting tidbit:

Does Speaker have any plans to sue the CDC?

"They're a federal agency. They have immunity," he said in resignation. "It's easier to think this guy is a jerk than that a government agency got together to intentionally misinform the public. That's much harder to believe."

What?

According to the news reports, Speaker's name was disclosed by government medical officials (probably CDC officials trying to cover their behinds for screwing up so badly). Medical officials have legal and ethical duties to maintain confidentiality. There's also a potential Bivens action for a violation of the constitutional right to information privacy. See Whalen v. Roe, 429 U.S. 589 (1977). Most circuits recognize the constitutional right to information privacy, and it is violated by unjustified disclosures of personal information, especially medical data. For example, in Doe v. Borough of Barrington, 729 F. Supp. 376 (D.N.J. 1990), the court held that the police could be liable for disclosing to a person's neighbor that the person was HIV positive. There are many other cases on point.

The short of it is that Speaker does have a case against the CDC if he can prove that CDC officials leaked his name and/or other medical information. It is clearly established that government officials have a duty of confidentiality of medical data under the constitutional right to information privacy in most circuits, so any qualified immunity claims would not bar liability (qualified immunity applies if the constitutional violation is not clearly established).

I sure think that there might be a case here.

Posted by Daniel J. Solove at 03:07 PM | Comments (5) | TrackBack

Why There's No First Amendment Right to Sell Personal Data

There are a number of really interesting cases pending in the First Circuit and its lower federal courts that raise questions of confidentiality and free speech in the context of the commercial trade in prescription drug information. In New Hampshire, Maine, and Vermont, data mining companies have raised First Amendment challenges to state laws that restrict the ability of pharmacists to sell information about which doctors prescribed which drugs. More information about these cases from the AP can be found here. I've written about this phenomenon here, arguing that there are sound doctrinal, jurisprudential, and policy reasons to reject any idea that regulation of the commercial data trade raises any serious First Amendment problems.

These cases all involve laws passed by states concerned about the sale of prescription information to data mining companies, who buy information about which doctors prescribe which drugs from pharmacies and then massage the data for use in marketing and other industry purposes. The laws vary in their particulars, but basically forbid or regulate the ability of pharmacies to sell the information. In April, a federal district court in the New Hampshire case struck down New Hampshire's law under the Central Hudson test as violating the companies' free speech rights. The First Amendment argument can be boiled down as follows: because the laws stop pharmacies from telling other people about their customers, they violate the pharmacy companies' free speech rights and are therefore unconstitutional.

I think this is a silly argument, as I explain after the jump.

This is an unconvincing argument for a number of reasons. At the level of doctrine, the commercial trade in personal information isn't the kind of free speech claim that the First Amendment is (or should be) concerned about. Lots of things that are done with words aren't protected by the First Amendment - words are used to form contracts, to engage in insider trading, and to hire hitmen - but laws regulating such activities aren't thought to implicate the First Amendment. Nor do we think of the attorney-client privilege as constituting a speech restriction on the ability of lawyers to inform the public with newsworthy disclosures about their clients. The boundaries of the First Amendment are fuzzy, but they tend to exclude purely commercial activity and they tend to exclude professional duties of confidentiality.

There are good reasons for this exclusion that involve why we do (and don't) protect constitutional rights in the political and commercial areas. The data mining companies in this case essentially argue that the Constitution prohibits the government from interfering with their liberty of speech. As such, there are some striking parallels between these arguments and old "liberty of contract" claims from the Lochner era. But modern constitutionalism rests upon the premise that commercial activity can be freely regulated by the government, while only political and civil liberties justify heightened scrutiny of legislative rules. This can be a hard line to draw, but not in these cases, as there are no fundamental constitutional liberties threatened by the prescriber confidentiality statutes. The pharmacies want to sell information. The drug companies want to buy the information so that they market drugs to physicians more effectively. And that's about it. The regulations don't even cover advertising (which is protected First Amendment speech). So there is no reason to invoke the Central Hudson apparatus to assess these schemes.

What's at stake in these cases is something really important, but it's not the spurious free speech claims of the drug companies. It's the ability of democratic legislatures and ultimately the people they represent to set the defining parameters for commercial uses of information. What's at stake is the ability, in a world where information transfers are becoming ever more important and more lucrative, to set a sensible information policy. Treating these issues as involving the First Amendment turns the First Amendment into little more than a right to make money in the data trade. The First Amendment is of course very important - it safeguards our political, philosophical, and artistic expression, and protects our ability to debate matters of public concern. But it should not be interpreted to include a Lochner-style right to transfer databases free of government regulation. Hopefully, the First Circuit will realize this on appeal in the New Hampshire case, putting the power to set information policy in the legislatures rather than in the Courts, and preserving judicial review for First Amendment claims that involve more substantial issues.

Posted by Neil Richards at 05:16 PM | Comments (0) | TrackBack

HIPAA-cracy

This morning, vindication! When a long New York Times investigative piece says exactly what you have been saying for a long time, it feels very good.

So it is with this morning's thumbsucker [reg/$$ req'd] about the ridiculous overzealousness and misunderstanding of HIPAA by health care professionals. HIPAA is the Clinton-era law that was principally concerned with making health insurance portable, but has become better known for its privacy-protection requirements. (In fact, the statute largely delegated development of all the details of the privacy provisions to the Department of Health and Human Services, which engaged in a lengthy and torturous rulemaking process.) As recounted at length in the Times piece, many employees at hospitals, doctors' offices, and insurance companies use the statute's supposed requirements as a shield for bureaucratic inflexibility in releasing information, even to close family members of an incapacitated patient. I have had numerous encounters with just such ill-informed stubbornness myself, and I find it maddening. (You can only imagine some of the arguments I have had with telephone receptionists who blindly invoke HIPAA.)

In addition to the direct trouble it causes for patients and their family, I fear the continued misuse of HIPAA undermines support for all privacy regulation. This is the only direct contact many people will ever have with privacy law in action. Who could blame them if they conclude that legal privacy restrictions are for the birds? Disregard for patient privacy was widespread before HIPAA, and I have no doubt legal regulation was called for. There have been 27,778 complaints under the law. But those harms are less visible to most of us than the new harm of mindless overprotection.

What's fascinating is that the excessive caution in response to HIPAA comes against a backdrop of extremely low risk of sanctions. Exclusive enforcement power lies with HHS -- the law provides no private right of action. And HHS has never imposed any civil or criminal penalty (although there are three criminal cases ongoing at the moment, those situations are extreme outliers). What explains this risk aversion given the vanishingly small risk of any real penalty?

The article points to one cause: the regulations are long and often vague (though not as bad as some claim); it is always easier to say "no" than to figure out how to say "yes." HHS must do a better job at presenting plain-English materials. Training of front-line staff -- who often have the most public contact -- also needs to improve. There are policy changes that could help with these problems, starting with greater effort at HHS.

In addition, I blame the army of consultants who descended on the health care industry after HIPAA passed and exaggerated its complexity to claim that only retention of their high-priced services could ensure compliance. Many offices are still spooked by that sales pitch. Increased clarity from HHS might help here too.

Finally, I agree completely with the HHS official who told the Times,

"Either innocently or purposefully, entities often use this as an excuse. They say ‘Hipaa made me do it’ when, in fact, they chose for other reasons not to make the permitted disclosures.”

I call this last phenomenon "HIPAA-cracy." You often see the same mindset in dealing with, say, insurance coverage disputes. Inflexibility and unhelpfulness are all too often a part of the modern health care experience. And I'm not sure whether any amount of careful regulatory design can overcome that.

[Cross-posted at Info/Law]

Posted by William McGeveran at 12:10 PM | Comments (7) | TrackBack

Vanity Taxes vs. Worthless Competitions

New Jersey adopted a "vanity tax" in 2004, levied on “any medical procedure performed on [an] individual which is directed at improving [his/her] appearance and which does not meaningfully promote the proper function of the body or prevent or treat illness or disease.” In a critique of the tax, Michael Duel argues that it is sexist and such surgery is frequently nondiscretionary:

Women can either feel inferior, enjoy a lower quality of life, and be rejected by mainstream society, or else suffer the pain and toil of cosmetic surgery to achieve the exact same ideals society uses to reject them.

Cosmetic surgeons have also railed against the tax, unctuously declaiming that it "discriminates against women" because they buy about 86% of the procedures.

NOW President Kim Gandy has a nice response to that canard:

In general, I'm opposed to most things that impact women disproportionately, but disproportionate use isn't a good measure if a tax is unfair or not. I can't imagine someone arguing against having a luxury tax on yachts because more of them are bought by men.

State Senator Karen Keiser is uppping the redistributive ante in Washington state, with a plan to earmark vanity tax revenue for health insurance for poor children. As one tax policy analyst claims, "In this anti-tax climate, these user-based, selective tax proposals are more palatable than broader ones."

Duel also attacks the vanity tax as a matter of tax policy, but I have a feeling he misses its point. . .

On the basis of Deborah Sullivan's 2000 study, he claims

Higher levels of attractiveness correlate to increased life satisfaction, less stress, perceived competency, and a positive balance of everyday life. Therefore, "the more attractive a person is, the more competent and in control of their lives they feel, affirming the attractiveness stereotype." . . . [G]ood-looking workers generally earn 5% to 10% more in income and hold more prestigious positions.

Duel thus argues that vanity taxes discourage the appearance-challenged from laying claim to these very real human goods. He claims that improved appearance both a) gives individuals a “competitive edge” in various contexts and b) makes them subjectively more satisfied with their lives. I believe neither of these goals outweigh the advantages of a tax, and the vanity tax may even promote the latter.

In the competitive context, Duel assumes that, if more people become more attractive, all will share in the advantages once enjoyed only by the appearance-favored. He appears to misunderstand the basic concept of “advantage.” It is concerned with the distribution of extant goods, not the production of more goods. Assume, for instance, that three associates at a law firm are bald (A, B, and C), and one has a full head of hair (D). Only one can make partner, and all have equal performance records and client contacts. D eventually gets the job on the basis of his presumed higher level of attractiveness to clients.

Now assume that C gets surgical hair implants, to “level the playing field” between him and D. It is far from likely that the firm will suddenly decide to make two partnerships available rather than one. The same logic applies to less dramatic allocations of earning power or professional advance. The role of enhanced appearance has been modeled by economist Robert Frank, who sees it as a classic example of a positional good--one whose value, far from being inherent, directly derives from its comparison with others. The appearance game is zero-sum; some move up only by pushing others down by comparison.

Of course, positional competitions can develop among many different axes; associates may also compete by billing more hours, developing their legal skills, or wooing clients. Note, though, that each of these strategies for success objectively increases the efficiency of the firm and increases the likelihood of expansion of the ultimate “prize,” be it higher pay, more partnerships, or more complex work.

What about the subjective dimensions of Duel's claim? Well, clearly some people are vain and put a lot of emphasis on looking better. But perhaps the very relativity of attractiveness makes the effort to tax appearance-enhancement the ultimate in efficiency. Consider Ng's work on diamond goods--these are goods that are valued, not necessarily for their intrinsic beauty or worth (a ring of cubic zirconium would have a gleam as sweet as a diamond's), as for their ability to show off one's wealth. People have a set "diamond budget," and it doesn't really matter if 10% or 90% of that goes to the government or DeBeers.

By the same token, standards of appearance often map to the types of clothing and skin tone that the wealthy can afford. As one commenter on a brilliant post at the Situationist notes,

Supposedly, in medieval Europe, light skin was considered beautiful, and only the rich aristocrats, who didn’t work in the fields like the poor peasants, had skin that wasn’t tanned. In more recent times, when poor people began to work in indoor factories and couldn’t afford to spend much time outdoors in the sun, tanned skin became seen as beautiful. . . . . This suggests a hypothesis: In a given society, the standard of beauty will be associated with whatever physical attributes distinguish between rich and poor. In other words, traits associated with low social status will be considered ugly and traits associated with high social status will be considered beautiful.

Therefore, by making the plastic surgery or Botox more expensive, we may well make it all the more desirable for those that get it.

Well, if that bit of trickonomics isn't enough to sway you, consider this characterization from Daniel Harris: "The idealized face of the model has always concealed an unspoken ulitmatum. Glowering accusingly at the reader, the alabaster mask intimidates her into buying products that cosmetic companies offer as a form of facial blackmail. . . ." Far from maximizing choice, the ready availability of cosmetic procedures just directs it toward trivial outlets.

Photo Credit: Mart & Gree, Flickr.

Posted by Frank Pasquale at 01:39 PM | Comments (3) | TrackBack

Too Much Privacy for the Virginia Tech Shooter?

Marc Fisher, a Washington Post columnist, has a column in the Washington Post complaining about how privacy laws are getting in the way of the investigation into the background of the Virginia Tech Shooter. He writes:

But the Virginia state panel investigating the shootings has already done enough poking around to show that any effort at reform will run straight into a solid wall built out of federal privacy regulations. . . .

The state investigation has been unable so far to get hold of the records that would show how Seung-Hui Cho's mental problems were dealt with by the university or the state.

Even though Cho is dead, his records remain under lock and key because of a federal privacy law that keeps medical records sealed...forever. In general, privacy rights expire when you do. That's as it should be--what possible right to privacy can you have when you're merely a memory?

When the feds were writing new privacy rules a few years ago, the government initially proposed to keep medical records confidential for two years after a person died. But the feds caved to privacy advocates who insisted that releasing such records could hurt living people, for example, if genetic information about the dead person were made public. . . .

The rules are now so wildly slanted toward keeping secrets that hospitals, doctors, mental health clinics, universities and others who deal with people like Cho can pretty much do whatever they want, without any effective public check on their handling of a case. Even after a mass murderer dies, it's unnecessarily difficult to hold institutions accountable.

Fisher's op-ed makes it sound as if the law absolutely bars the obtaining of the records. Fisher doesn't mention any particular laws (he only links to an HHS comment about one rule under HIPAA, but not the rule regulating access to records) or even discuss the standards that the law requires. But if one were to actually look at the law, it becomes clear that Fisher's gripe doesn't really exist. Unless I'm missing something, state officials could simply get a court order or subpoena to obtain the records.

The law isn't "wildly slanted" toward protecting privacy; nor does it erect a "solid wall" that prevents the investigation from getting the records. Nearly all privacy statutes allow government investigatory officials to obtain records with a mere court order or even a subpoena. The HIPAA regulations, for example, allow for the disclosure of health information pursuant to a court order or an "administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or a similar process authorized under law." 45 C.F.R. 164.512(f). The Family Education Rights and Privacy Act (FERPA) allows officials to obtain school records with a mere "subpoena issued for a law enforcement purpose." 20 U.S.C. 1232g (b)(1)(a)(J)(ii). Subpoenas are very easy to use. So what's the big deal here?

Posted by Daniel J. Solove at 09:39 AM | Comments (1) | TrackBack

More on Identifying the TB Patient

I blogged the other day about the inappropriate disclosure of the TB patient's identity. Over at Chronicles of Dissent, Dissent has an interesting post worth reading about the issue. He quotes Dr. Martin Cetron, Director of Division of Global Migration and Quarantine at CDC, who said: "I don’t think, publicly naming the individual, which we never do, has any advantage in [faciliating contacting individuals at risk of contracting TB from exposure to the patient], since this is not a disease that’s spread by casual interactions with the public." Dissent writes:

Certainly by now, the patient has been portrayed in a generally unflattering light in the media — as someone who was only concerned about his own needs and desires and who gave little thought to the health of others. Less media attention has been paid to his statements that he was never ordered not to fly, that at the time he left the country, he had not been diagnosed with the dangerous treatment-resistant strain, and that after they contacted him in Europe to inform him, he felt the CDC did not move quickly enough to make arrangements for his safe travel back to the U.S. for treatment — so he made his own arrangements.

Check out the full post for more about the issue.

Posted by Daniel J. Solove at 02:33 PM | Comments (2) | TrackBack

Identifying the TB Patient

The other day, I blogged about the TB patient who flew to Europe and back with the knowledge that he had a rare form of TB. The media had been reporting on the case for a while, and the man's name was not identified until a day or two ago, when a number of stories began including his full name and photograph [one photo is included in this post; I have obscured his face], as well as the name and photographs of the woman he married (including photos from his wedding).

Although I find the man's conduct to be irresponsible, I don't think it was appropriate to identify him. I bet that revealing his name will result in threats and attempts at vigilantism, possibly putting him and his family at risk of harm. It will also severely hurt his reputation and perhaps even his career. Some might say that he deserves such consequences, but I believe that the most appropriate sanctions are legal, not extra-legal. I have blogged extensively about my thoughts about such community mob "justice" here.

Was it appropriate for the media to publish his name and photograph? The name and photograph of his wife? I am curious about how his name got leaked. If one of his physicians released it, or if a government official at the CDC or elsewhere released it, he might have a cause of action for breach of confidentiality or public disclosure of private facts.

UPDATE: Dissent (a commenter to my post) points to an AP story that provides an answer to how the man's identity was revealed. According to the AP:

The tuberculosis patient under the first federal quarantine since 1963 is a 31-year-old personal injury attorney who practices law with his father in Atlanta, a federal law enforcement official said Thursday.

The official, who asked to remain anonymous because he was not authorized to talk about the case, identified the patient as [name]. A medical official in Atlanta also confirmed the patient's name on condition of anonymity.

Barring facts I'm unaware of, such a disclosure by the government official seems improper and probably illegal. It might well be a violation of the TB patient's constitutional right to information privacy. The confirmation of the patient's identity by the medical offical in Atlanta would be a breach of confidentiality. It is surprising that these individuals disclosed the man's name. They clearly knew better, as the federal official indicated he wasn't supposed to speak about the case and the medical official requested anonymity. This strikes me as a willful disregard for the law, and I hope that these officials will be punished, let alone successfully sued by the TB patient.

Posted by Daniel J. Solove at 01:46 PM | Comments (4) | TrackBack

DNA Sampling -- For Everyone?

The New York Times reports:

The Justice Department is completing rules to allow the collection of DNA from most people arrested or detained by federal authorities, a vast expansion of DNA gathering that will include hundreds of thousands of illegal immigrants, by far the largest group affected.

The new forensic DNA sampling was authorized by Congress in a little-noticed amendment to a January 2006 renewal of the Violence Against Women Act, which provides protections and assistance for victims of sexual crimes. The amendment permits DNA collecting from anyone under criminal arrest by federal authorities, and also from illegal immigrants detained by federal agents. . . .

The goal, justice officials said, is to make the practice of DNA sampling as routine as fingerprinting for anyone detained by federal agents, including illegal immigrants. Until now, federal authorities have taken DNA samples only from convicted felons.

The collection of DNA is now expanded to arrestees, whereas before it was for convicted criminals. Does the fact that it applies to arrestees--people who could be innocent of crimes--change the privacy implications? In the past, I've posted about whether there should be a national DNA database for everyone. The arguments made on behalf of the DNA database for arrestees and convicts could readily apply to such a broader DNA database. I wrote:

The benefits of using DNA identification are quite significant, since many people who have been wrongly convicted based on erroneous eye witness testimony (which is very unreliable) have been exonerated with DNA. Adding more DNA profiles will improve the database.

Nevertheless, I am very wary of the power the database gives the government. Since we leave trails of our DNA wherever we go, it might be possible to link particular people to particular places. That's what is done with crime scenes, but what if the use expanded beyond crime scenes?

For those who are unconcerned about the collection of DNA for arrestees, what if the DNA database contained the DNA of all citizens? After all, if it is beneficial in investigating crime and can be extended to arrestees who are later exonerated, why not take the next step and extend it to everybody? Would this pose a problem?

Hat tip: Deven Desai

Posted by Daniel J. Solove at 12:04 AM | Comments (5) | TrackBack

Online Blacklisting of Medical Malpractice Plaintiffs

In a disturbing development, websites are emerging to create blacklists of individuals who file medical malpractice claims. According to an article at Law.com:

In 2004, a group of Texas physicians launched DoctorsKnowUs.com. The site listed the names of plaintiffs, attorneys and expert witnesses in medical malpractice cases. That site did not make any distinction between cases that ended in plaintiff verdicts and those that ended in defense verdicts or settlements.

According to the New York Times, a North Texas man had trouble finding a physician for his 18-year old son after his name was posted on the site. He had filed a medical malpractice suit after his wife died from a missed brain tumor, and had won an undisclosed settlement.

DoctorsKnowUs.com was shut down four days after the Times article was published.

A new website to blacklist medical malpractice plaintiffs has emerged, called LitiPages.com. According to the Law.com article:

In the latest effort to enable doctors to shun patients who sue, an offshore company has launched an Internet site that lists the names of plaintiffs who have filed medical malpractice cases in Florida and their attorneys.

The site, LitiPages.com, encourages doctors to consider avoiding patients who are listed in the database, and it strongly encourages plaintiffs who have lost their cases at trial to turn around and sue their plaintiffs attorney. . . .

Unlike the Texas site, LitiPages.com plans to list only plaintiffs who filed cases that ended in a defense verdict, a settlement, or a plaintiff verdict on only one count while other counts were dismissed.

The overwhelming majority of med-mal cases that go to trial result in defense verdicts. A large percentage of claims never go to trial, and many of those result in settlements. Some experts say that it's not possible to say that cases are "frivolous" just because they don't result in a plaintiff verdict.

The article also discusses an interesting study about medical malpractice lawsuits:

A study released in May by researchers at the Harvard University School of Public Health concluded that claims that the U.S. medical malpractice system is riddled with frivolous lawsuits are overblown.

The researchers found clear-cut evidence of medical error in two-thirds of malpractice cases that are filed around the country. In those cases that involved a medical error, 73 percent of the plaintiffs received some sort of compensation. Of the one-third that did not involve a medical error, 72 percent of the plaintiffs did not receive compensation.

I find the LitiPages website very troubling. But what about the reverse -- a website listing doctors who have been sued for malpractice or who have lost malpractice cases? I feel somewhat differently about such a website because the vast majority of malpractice claims are for a few bad apples, and having information about them would be helpful to patients to prevent injury. Of course, I'm assuming a professional website that is accurate and helpful, but this may be in doubt because many cases settle, and a settlement can represent an egregious case as much as it can a rather minor case without a lot of merit that the doctor's insurance company just wants to go away. But assuming such a website can be fairly designed, is it consistent to reject the website for malpractice plaintiffs but to approve of a website for malpractice physicians?

I believe a distinction can be made. Physicians are professionals, and they have higher duties and responsibilities than the patients they treat. Indeed, one of the duties of the profession is to police itself, to weed out the bad apples. Sadly, I'm not sure that the medical profession does a good enough job of this (lawyers aren't much better at policing their own profession). In distinction, a blacklist of malpractice plaintiffs discourages them from exercising their legal rights and inhibits the legal system from redressing wrongs by errant physicians. Moreover, even to the extent to which plaintiffs bring frivolous suits, these are often the fault of the lawyers, not the plaintiffs.

Posted by Daniel J. Solove at 04:44 PM | Comments (8) | TrackBack

HIPAA's Lax Enforcement

Today's Washington Post has an interesting story about how the privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA) are not being enforced:

In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases.

Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records.

The government has "closed" more than 73 percent of the cases -- more than 14,000 -- either ruling that there was no violation, or allowing health plans, hospitals, doctors' offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty.

"Our first approach to dealing with any complaint is to work for voluntary compliance. So far it's worked out pretty well," said Winston Wilkinson, who heads the Department of Health and Human Services' Office of Civil Rights, which is in charge of enforcing the law.

While praised by hospitals, insurance plans and doctors, the approach has drawn strong criticism from privacy advocates and some health industry analysts. They say the administration's decision not to enforce the law more aggressively has not safeguarded sensitive medical records and has made providers and insurers complacent about complying.

The lax enforcement of HIPAA could be addressed if HIPAA were to have a private right of action. Currently, HIPAA doesn't provide a way for individuals to sue for privacy violations. HIPAA would be more effective with a private right of action, which would prevent enforcement from being stymied whenever an agency isn't interested in enforcing a law. The Bush Administration has little love for the HIPAA privacy regulations, which it tried to kill when it took over power from the Clinton Administration. Instead of killing HIPAA, the Bush Administration rewrote parts of the regulations, weakening them significantly. And now, the strategy seems to be to let the HIPAA regulations sink into irrelevance.

Posted by Daniel J. Solove at 12:12 PM | Comments (2) | TrackBack

Sex in Kansas

Yes, Dorothy, you really can tell your doctor about sex in Kansas. A while ago, I wrote about the Kansas Attorney General's interpretation of a law prohibiting sex with minors under the age of 16 as requiring doctors to report any sexual activity by people under 16 to the state authorities (here and here).

Recently, a federal district court judge concluded in Aid for Women v. Foulston:

An individual’s right to informational privacy may be implicated when the government compels disclosure of that individual’s personal sexual or health-related information to the government and/or to other third parties. Compelled disclosure may violate an individual’s right to informational privacy unless the disclosure serves a compelling state interest in the least intrusive manner. To determine whether information is of such a personal nature that it demands constitutional protection, the court considers: “1) if the party asserting the right has a legitimate expectation of privacy; 2) if disclosure serves a compelling state interest; and 3) if disclosure can be made in the least intrusive manner.” A “legitimate expectation of privacy,” is based “at least in part, upon the intimate or otherwise personal nature of the material.” . . .

The Supreme Court and this Circuit have extended to minors the constitutional right to privacy, including the right of informational privacy. However, in a variety of contexts the power of the state to control or regulate the conduct of children has been found to reach beyond the scope of its power over adults. For the narrow issue of whether mandatory reporting of consensual sexual activity of minors violates a minor’s informational privacy rights, the court begins with a three-prong analysis: 1) is there is a legitimate expectation of privacy; 2) does disclosure serve a compelling state interest; and 3) can disclosure be made in the least intrusive manner? The court finds the Kansas reporting statute encompasses these elements. First, the statute recognizes an expectation of privacy in conduct when there is no reason to suspect injury as a result of abuse. Second, the state clearly has a compelling interest in protecting children from abuse, but, as the statute indicates, this interest is limited to circumstances when there is a reason to suspect injury. Thus, a minor’s privacy ends where the state’s interest in protecting the minor begins. Finally, the statute recognizes that privacy should be breached only when injury to the child is reasonably suspected. By its very terms, the statute recognizes an element of privacy in mandatory reporting of unlawful sexual activity of a minor.

As the court concluded above, the statute itself wasn't a problem. The Kansas AG's interpretation of the law, however, went too far, and the court enjoined it. According to the court:

The state has a strong interest in protecting minors and promoting public health. But this interest is at its ebb in the present action, where the Attorney General’s Opinion goes beyond the scope of the reporting statute, potentially criminalizing the decisions health care providers make in utmost good faith, and solely with the physical and emotional health of their patients in mind. The Attorney General’s over-expansive interpretation of the reporting statute not only fails to serve the public interest, it actually serves to undermine it by causing minors to avoid seeking medical services and potentially overburdening SRS.

The court’s interpretation of the reporting statute promotes the public interest; injunctive relief advances the interests of society in general. The core of the reporting statute – providing for the detection and protection of children suffering from incest or abusive sexual activity – is unaffected by this opinion. Such acts were and will remain subject to mandatory reporting. But the statute was not intended to cover consensual sexual activity between age-mates that do not result in injury. Injunctive relief barring the Attorney General from instituting a per se rule that all illegal sexual activity involving a minor is injurious advances the public interest in protecting children by allowing reporting, administrative investigation, and law enforcement efforts to be concentrated on the legislature’s real target – true sexual abuse. Injunctive relief also will prevent dissipation of scarce public resources on clear cases of consensual, same-age sexual relations, and it will avoid creating a government storage house of reported consensual sexual activity between age-mates.

The court discussed the testimony of medical experts that demonstrated the harms of the blanket reporting requirement. One expert testified that:

Mandatory reporting of all sexual activity to a state agency can be more frightening given the potential for criminal liability. If minors are told that there may be an investigation, they may be more inhibited in seeking care. Further, minors who otherwise would seek medical care with their parents’ involvement may be deterred by the potential to involve their parents in a criminal investigation. Automatic mandatory reporting of illegal sexual activity involving a minor will change the nature of the relationship between a health care provider and the minor patient to some degree. Based on studies that evaluated the effects of parental notification, there will be a significant decrease in minors seeking care and treatment related to sexual activity. In the context of a reporting statute, the effects may be greater since a state agency will be notified of the alleged “sexual abuse.” According to several witnesses, in the long-term, forgoing or delaying medical care leads to risks to minors including the worsening of existing medical conditions and the spreading of undiagnosed diseases. The Wisconsin study indicates that at a minimum, young persons report that they will engage in riskier behavior if confidential care is not available.

Another expert testified as to the effects of the reporting requirement on victims of sexual abuse:

The court finds Dr. Kellogg’s testimony to be particularly insightful and compelling. Her experience extends across the entire spectrum of victims of sexual abuse – she has examined over 8,500 persons in her practice and is widely published in peer-reviewed publications. . . . Dr. Kellogg testified, inter alia: 1) not all underage sexual activity, including intercourse, is injurious; 2) appropriate sexual activity, which will vary from person to person, is part of a normal person’s development; 3) she takes whatever time she needs in conducting clinical interviews with her patients; and 4) maintaining discretion in reporting to determine if injury has occurred is important, as there are differences in patients and their situations.

In my earlier post about the issue, I wrote:

If one applied Whalen [the case establishing the constitutional right to information privacy] rather formalistically, one might conclude that so long as Kansas officials provided adequate security for the information and did not publicly disclose it, the reporting requirement would not violate the right to information privacy. But the Kansas reporting requirement differs in its more significant breadth -- it goes beyond the original purpose of the law, which is really a sexual abuse and statutory rape law, not a general anti-teen sex law. The court may thus find that this broad reporting requirement is not justified -- the state interest in reporting might not be compelling enough. On the other side of the balance, the privacy interests are quite strong. Such a reporting requirement might deter teenagers from seeking medical care for STDs or from obtaining contraception.

The plaintiffs do not devote much attention to the Fourth Amendment in their papers, but I believe that the plaintiffs may have a strong Fourth Amendment argument.

The court basically agreed with my analysis of the constitutional right to information privacy. I still think that there's also a potential Fourth Amendment argument too.

Hat tip: Chris Geidner

Related Posts:
1. Solove, Can Doctors Be Required to Tell the Government About Teen Sex? (Feb. 2006)
2. Solove, Update on the Kansas Teen Sex Medical Records Case (Feb. 2006)

Posted by Daniel J. Solove at 01:43 PM | Comments (2) | TrackBack

Update on the Kansas Teen Sex Medical Records Case

A few days ago, I blogged about a case in Kansas where the Attorney General interpreted a law prohibiting sex with minors under the age of 16 as requiring doctors to report any sexual activity by people under 16 to the state authorities. Recently, the Kansas Supreme Court issued an opinion, Alpha Medical Clinic v. Anderson, strongly limiting the Attorney General's reporting requirement. Relying in significant part on Whalen v. Roe, 429 U.S. 589 (1977) (discussed in depth in my earlier post), the Kansas Supreme Court reasoned:

It is beyond dispute that the State has a compelling interest in pursuing criminal investigations. . . . And an individual's right to informational privacy is not necessarily "absolute; rather, it is a conditional right which may be infringed upon a showing of proper governmental interest." . . . . Also, the fundamental right to obtain a lawful abortion may be regulated as long as the regulation does not constitute an undue burden. . . .

Our evaluation necessarily involves weighing of these competing interests, including the type of information requested, the potential harm in disclosure, the adequacy of safeguards to prevent unauthorized disclosure, the need for access, and statutory mandates or public policy considerations. See Lawall, 307 F.3d at 790 (citing United States v. Westinghouse Elec. Corp., 638 F.2d 570, 578 [3rd Cir. 1980]). . . .

Petitioners contend the attorney general has not shown a compelling need for unredacted patient files. Kline now takes the position that the patients' identifying information may be redacted. Petitioners further assert that it is "inconceivable" the disclosure of entire patient files would be the least intrusive way to meet a compelling state interest in uncovering noncompliance with the criminal abortion and mandatory child abuse reporting statutes. Petitioners have pointed to the example of the many details of each patient's sexual and contraceptive history that the files are likely to contain but that are equally likely to be irrelevant to the factors required to be considered and documented under the criminal abortion statute. With regard to the child abuse reporting statute, we expect that nearly all information except the identity and age of the male who impregnated the minor patient, his relationship to the minor patient, the circumstances surrounding the sexual intercourse that produced the pregnancy, and compliance or noncompliance with reporting requirements is likely to be irrelevant to Kline's inquiry.

The type of information sought by the State here could hardly be more sensitive, or the potential harm to patient privacy posed by disclosure more substantial. Judge Anderson's order does not do all it can to narrow the information gathered or to safeguard that information from unauthorized disclosure once it is in the district court's hands. Although the criminal inquisition statutes do not speak to the need for such narrowing and safeguards, the constitutional dimensions of this case compel them. . . .

In sum, Judge Anderson must withdraw his order and first evaluate the inquisition and subpoenas in light of what the attorney general has told him regarding his interpretation of the criminal statutes at issue. If the judge requires additional information in order to perform this evaluation, he should seek it from the attorney general in the inquisition proceeding. As targets of the investigation, petitioners need not be included in any hearing or other communication to enable this evaluation.

Only if Judge Anderson is satisfied that the attorney general is on firm legal ground should he permit the inquisition to continue and some version of the subpoenas to remain in effect. Then he also must enter a protective order that sets forth at least the following safeguards: (1) Petitioners' counsel must redact patient-identifying information from the files before they are delivered to the judge under seal; (2) the documents should be reviewed initially in camera by a lawyer and a physician or physicians appointed by the court, who can then advise the court if further redactions should be made to eliminate information unrelated to the legitimate purposes of the inquisition. This review should also determine whether any of the files demonstrate nothing more than the existence of a reasonable medical debate about some aspect of the application of the criminal abortion and/or mandatory child abuse reporting statutes, which the attorney general's office has already acknowledged would not constitute a crime. If so, those files should be returned to petitioners; and (3) any remaining redacted files should be turned over to the attorney general.

Related Posts:
1. Solove, Can Doctors Be Required to Tell the Government About Teen Sex?

Posted by Daniel J. Solove at 02:53 PM | Comments (2) | TrackBack

Can Doctors Be Required to Tell the Government About Teen Sex?

A rather remarkable case is beginning in Wichita, Kansas. From the Wichita Eagle:

A 15-year-old girl tells her doctor she needs birth control because she and her boyfriend are having sex.

Kansas Attorney General Phill Kline says the law requires the doctor to report the girl to child protective services.

A group of doctors, nurses, counselors and other health-care providers across Kansas say it's none of the state's business.

U.S. District Judge J. Thomas Marten will have to decide who's right during a trial beginning Monday in Wichita that's being watched across the country by legal, women's and health-care groups. . . .

Kline touched off what has become a lengthy court battle with a controversial legal opinion in 2003. Kansas law makes sexual contact with anyone under 16 a crime. Kline said that means doctors, psychologists, nurses and other health-care providers should report all suspected sexual activity involving anyone younger than 16.

The plaintiffs' complaint is here. And here is their memorandum in support of their motion for a preliminary injunction. I believe that the plaintiffs may have a good case.

The plaintiffs first raise a constitutional right to information privacy claim. In a case called Whalen v. Roe, 429 U.S. 589 (1977), the Supreme Court stated that the constitutional right to privacy protected two "different kinds of interests" -- (1) "the individual interest in avoiding disclosure of personal matters" and (2) "the interest in independence in making certain kinds of important decisions." The first interest has become known as the constitutional right to information privacy. The Court only addressed this right in one other case, Nixon v. Administrator of General Services, 433 U.S. 425 (1977). Since then, however, the Court has done little to clarify the right. A few courts have concluded that the right is just dicta, but most federal courts of appeal have recognized the right, including the 2nd, 3rd, 4th, 5th, 6th, 7th, 9th, and 10th Circuits.

It is unclear how the constitutional right to information privacy claim will be resolved. Courts assess constitutional right to information privacy claims by balancing the privacy interests against the governmental interests. The 3rd Circuit has set forth seven factors to consider in the balancing: (1) “the type of record requested”; (2) “the information it does or might contain”; (3) “the potential for harm in any subsequent nonconsensual disclosure”; (4) “the injury from disclosure to the relationship in which the record was generated”; (5) “the adequacy of safeguards to prevent unauthorized disclosure”; (6) “the degree of need for access”; and (7) “whether there is an express statutory mandate, articulated public policy, or other recognizable public interest militating toward access.” United States v. Westinghouse Electric Corp., 638 F.2d 570 (3d Cir.1980). These factors are used by many courts outside of the 3rd Circuit.

Looking at the facts of Whalen suggests that the plaintiffs might have an uphill battle in establishing a violation of the constitutional right to information privacy. Whalen involved a reporting requirement that doctors inform the state whenever they prescribed certain dangerous drugs (opium derivatives, cocaine, methadone, amphetamines, and others). The Court then balanced the privacy interest against the state interest in requiring reporting and concluded that the reporting scheme passed constitutional muster because the information would be kept secure and would not be disclosed to the public. If one applied Whalen rather formalistically, one might conclude that so long as Kansas officials provided adequate security for the information and did not publicly disclose it, the reporting requirement would not violate the right to information privacy. But the Kansas reporting requirement differs in its more significant breadth -- it goes beyond the original purpose of the law, which is really a sexual abuse and statutory rape law, not a general anti-teen sex law. The court may thus find that this broad reporting requirement is not justified -- the state interest in reporting might not be compelling enough. On the other side of the balance, the privacy interests are quite strong. Such a reporting requirement might deter teenagers from seeking medical care for STDs or from obtaining contraception.

The plaintiffs do not devote much attention to the Fourth Amendment in their papers, but I believe that the plaintiffs may have a strong Fourth Amendment argument. Kansas might immediately point to the third party doctrine, in which the Supreme Court has held that whenever information is exposed to a third party, a person lacks an expectation of privacy in that information, and hence there is no Fourth Amendment protection. I blogged about the third party doctrine in more detail in another post. The Supreme Court has yet to confront the most difficult question regarding the third party doctrine – whether it applies to the patient-physician relationship. The logic of the third party doctrine appears to apply to information held by health care providers -- after all, they are third parties. On the other hand, there is a longstanding tradition of doctors maintaining patient confidentiality, dating back to the Hippocratic Oath (circa 400 BC). It would be hard to imagine courts concluding that people have no reasonable expectation of privacy in the information they tell their doctor. If there is a reasonable expectation of privacy in one's medical data maintained by one's doctor, then the Fourth Amendment might require a warrant supported by probable cause in order for the state to obtain it. This would mean that the automatic reporting requirement (which does not involve a warrant or probable cause) would violate the Fourth Amendment and be struck down.

Kansas may argue that the disclosure of the information falls under the "special needs" doctrine, a limited set of contexts where the Supreme Court has stated that search warrants and probable cause are not required by the Fourth Amendment. In these cases, courts look to the "reasonableness" of the search, and this involves a balancing of the privacy interests against the state interest in disclosure. I think that there is a strong argument that the Kansas disclosure requirement is unreasonable. For example, in Ferguson v. City of Charleston, 432 U.S. 67 (2001), a hospital tested the urine of pregnant patients suspected of drug use. The Supreme Court concluded that the testing was unreasonable:

The reasonable expectation of privacy enjoyed by the typical patient undergoing diagnostic tests in a hospital is that the results of those tests will not be shared with nonmedical personnel without her consent. . . . [In other drug testing cases] the “special need” that was advanced as a justification for the absence of a warrant or individualized suspicion was one divorced from the State’s general interest in law enforcement. . . . In this case, however, the central and indispensable feature of the policy from its inception was the use of law enforcement to coerce the patients into substance abuse treatment. This fact distinguishes this case from circumstances in which physicians or psychologists, in the course of ordinary medical procedures aimed at helping the patient herself, come across information that under rules of law or ethics is subject to reporting requirements, which no one has challenged here.

The problem with the hospital's program was that it was done for law enforcement purposes. The same is true for the Kansas teen sex reporting requirement. In Ferguson, the Court concluded:

While the ultimate goal of the program may well have been to get the women in question into substance abuse treatment and off of drugs, the immediate objective of the searches was to generate evidence for law enforcement purposes in order to reach that goal. . . . Given the primary purpose of the Charleston program, which was to use the threat of arrest and prosecution in order to force women into treatment, and given the extensive involvement of law enforcement officials at every stage of the policy, this case simply does not fit within the closely guarded category of “special needs.”. . . .

As respondents have repeatedly insisted, their motive was benign rather than punitive. Such a motive, however, cannot justify a departure from Fourth Amendment protections, given the pervasive involvement of law enforcement with the development and application of the MUSC policy. . . . The Fourth Amendment’s general prohibition against nonconsensual, warrantless, and suspicionless searches necessarily applies to such a policy.

I believe that the plaintiffs have a strong case under the Fourth Amendment.

Posted by Daniel J. Solove at 03:52 AM | Comments (6) | TrackBack

Teaching Information Privacy Law

This post was originally posted on PrawfsBlawg on May 10, 2005. I have made a few small edits to this post.

For the law professor readers of this blog, especially newer professors (or professors-to-be) who are still figuring out the courses they want to teach, I thought I’d recommend information privacy law as a course you might consider teaching. (I have a casebook in the field, so this is really a thinly-disguised self-plug.)

Information privacy law remains a fairly young field, and it has yet to take hold as a course taught consistently in most law schools. I’m hoping to change all that. So if you're interested in exploring issues involving information technology, criminal procedure, or free speech, here are a few reasons why you should consider adding information privacy law to your course mix:

1. It’s new and fresh. Lots of media attention on privacy law issues these days. Students are very interested in the topic.

2. Lively cases and fascinating issues abound. There’s barely a dull moment in the course. Every topic is interesting; there is no rule against perpetuities to cover!

3. It’s a way to teach fascinating First Amendment, Fourth Amendment, and other constitutional law issues. Often, those wanting to teach in these areas have to wait in line until the course is “released” by professors who already teach it. Getting the First Amendment course, for example, is about as easy as unseating an incumbent in Congress. Information privacy law lets you teach really interesting First Amendment issues and there’s usually not a long succession line to teaching an information privacy law course. Moreover, many law schools already have somebody teaching cyberlaw, and information privacy law covers some incredibly interesting law and information technology issues.

4. The field is growing . . . big time. There are many new jobs in privacy law – jobs at privacy advocacy organizations, most major companies, financial institutions (must have a privacy officer per Gramm-Leach-Bliley Act), health institutions (must have a privacy officer per HIPAA regulations), and the government (DHS privacy office, etc.). Many new laws are being passed regarding privacy, and cases involving these issues are multiplying.

5. The field has some staying power. As long as computers and information remain in fashion, privacy will remain a big issue. It’s not going away . . . the field, that is. Privacy . . . well, that’s a different story.

6. Plenty of material for a three-