Speaking of Big Brother problems, for those of you who are not familiar with health care issues:
The following article on HIPAA appeared in the Thursday a.m.
Congressional Quarterly Homeland Security Web-based newsletter.
CQ HOMELAND SECURITY "INTELLIGENCE"
April 23, 2003, 8:35 p.m.
New Medical Privacy Law Opens Back Door to Intelligence Agencies
By Jim McGee, CQ Staff Writer
An obscure provision in a health care privacy rule that took effect last week opens the door for U.S. intelligence agencies to obtain the medical records of U.S. citizens without a court order and to share that data widely within the federal government.
The rule permits doctors, psychiatrists, hospitals and insurance
companies to release "protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.)."
Beginning April 14, doctors and other health professionals began asking their patients to sign a form acknowledging they had read a lengthy explanation of the new privacy rules put in place under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (PL 104-191).
"We may also disclose your protected health information to authorized federal officials for conducting national security and intelligence activities, including for the provision of protective services to the President or others legally authorized," said a version of the form being used in the District of Columbia.
How a law that once was touted as a boon for patient privacy ended up laying a wider and more clearly marked highway for government agents to gather "lawful intelligence" from doctors offices, local pharmacies and hospitals is a story of competing policy goals in Congress and the deepening imprint of terrorism on the civil liberties of U.S. citizens.
At bottom, the story shows how some anti-terrorism measures, taken in response to the 9/11 attacks, can have unintended consequences for individual rights, consequences that only now are hardening into the concrete of federal regulation.
In the context of the USA Patriot Act and the Pentagon's Total
Information Awareness data-mining research program, moreover, the new medical privacy regulation raises fears that personal medical data will be widely disseminated in government intelligence circles.
"Unprecedented," privacy defenders called it. Good Intentions
When Congress passed HIPAA in 1996, it called for the creation of
federal privacy laws protecting personal medical information.
But in 1999, the Department of Health and Human Services published a proposed regulation saying that medical records could also be released, "for the conduct of lawful intelligence activities conducted pursuant to the National Security Act of 1947 (50 U.S.C. 401 et seq.)."
The notice touched off a "vigorous debate" inside the Clinton
administration, recalled Peter P. Swire. At the time, Swire was chief
counselor for privacy in the Office of Management and Budget in the Clinton White House.
Now a professor at the Moritz College of Law at Ohio State University, Swire said the Clinton administration decided the new medical privacy regulations were not "going to stand in the way of national security."
Back then, the matter generated relatively little public debate, he
said, for two reasons.
First, the provision was viewed as an exception that would be used only in special circumstances against a "terrorist or enemy of the country,"and only on a case-by-case basis.
Second, parties to the drafting worked on the assumption that the
privacy rights of U.S. citizens would be protected by the existing legal framework of the Foreign Intelligence Surveillance Act (FISA), which issues warrants allowing the FBI to surveil suspected spies and terrorists with wiretaps and bugs.
In addition, the information then was largely restricted to the FBI and kept in special intelligence files that were not generally shared with other agencies.
In short, the administration decided the privacy rights of patients
would be protected except under extraordinary circumstances.
"Nothing is more private than someone's medical or psychiatric records,"President Bill Clinton said in a speech on Dec., 20, 2000, the day the final regulations were released by HHS. Into the Bush White House The Bush administration issued its own version of the regulation in October, 2002, with an effective date of April 14, 2003, with no changes to the national security provisions.
By then, of course, the events of Sept. 11, 2001 had transformed the context of privacy protections and intelligence-gathering, summed up in the rapid passage of the USA Patriot Act.
Suddenly, the FBI's safeguards for protecting sensitive foreign
intelligence information were denounced as invidious bureaucratic
"walls" that unwisely prohibited intelligence agencies from sharing
information and, it was alleged, facilitated unchecked terrorist
movements prior to the 9/11 attacks. The Patriot Act removed walls
between the FBI and CIA and authorized distribution of intelligence to all "federal law enforcement, intelligence, protective, immigration, national defense, or national security officials."
"Post 9/11, you can see how the national security exception [to the
medical privacy law] could become a back door for law enforcement access to medical records without issuing subpoenas that HIPAA usually requires," Swire said.
Because both the Clinton administration and health privacy advocates were relying on an established legal framework, governed by judges, they had focused their attention on erecting privacy protections in relation to criminal investigations by law enforcement agencies not counterterrorist intelligence gathering.
"There is a detailed road map for how law enforcement is supposed to get medical records," Swire said of the regulation. "The national security exception, interpreted broadly, could put the same data into the same people's hands without a subpoena."
In November 2002, the Homeland Security Act accelerated the trend toward unrestricted intelligence sharing and called for the use of "data-mining and other advanced analytical tools" that depended on accessing massive collections of data, both criminal and non-criminal.
Over at the Pentagon, the Defense Advanced Research and Development Agency (DARPA) took this new direction to heart and launched an ambitious data-mining research program called Total Information Awareness (TIA).
One TIA program, the Bio-event Advanced Leading Indicator Recognition Technology, or Bio-ALIRT, was designed to detect early signs, in health care data, of a slow-moving disease that might signal a biological warfare attack. An Opening Wedge
Bio-ALIRT was aimed squarely at medical charts, given the requirement that it "identify abnormal health early indicators, and mine existing databases to determine the most valuable early indicators of abnormal health conditions."
Under the new regulation, Swire said, the Pentagon might well be allowed access to millions of patient records in bulk collections â" say, everyone treated in U.S. hospital emergency rooms over the past six months.
"What if a government agency says 'We want all of your medical records for our new national security screening program,'' Swire asked. "That issue was never debated."
Moreover, he said the new regulation permits the release of medical information to public health agencies, but does not limit what those agencies can do with the information.
"That is a loophole that could permit enormous amounts of records to go into these bioterrorism efforts," Swire said.
Watchdogs Surprised
For the time being, professional privacy advocates in Washington are nonplussed by the meaning of the new rule. Janlori Goldman, director of the Health Privacy Project, stresses that the exemption allows, but does not require, doctors to turn over records.
The Patriot Act made it easier for FBI agents to use national security letters to obtain confidential telephone records and financial reports that would otherwise be covered by privacy laws.
The medical privacy regulation does not require this step, however.
"It is looser," said Goldman. "It allows for easier access than a
National Security letter," a kind of administrative subpoena signed by an FBI official, rather than a judge.
Marc Rotenberg, president of the Electronic Privacy Information Center, a Washington, D.C.-based civil liberties watchdog, said that, as written, the regulation "is much broader" than rules governing access to financial records.
"That is just about the loosest standard that you could conceive of," he said. "That is probably without precedent. At least the privacy statutes that I am familiar with, there is at least a lot more careful cabining of that authority."
Meanwhile, doctors will remain the first line of defense in protecting
patients' privacy. Under the new rules, it is the doctors, hospitals and insurance companies who are supposed to decide if the federal agents who come to them with requests for "lawful intelligence" about a patient have a legitimate national security need to see a medical chart.
And the way things are now, Swire said, there is no judge "to make a decision." Or to stand in the way.
Jim McGee can be reached at
[email protected].
Source: CQ Homeland Security
© 2003 Congressional Quarterly Inc. All Rights Reserved
