Catherine Weiss
Director, Reproductive Freedom Project
American Civil Liberties Union
125 Broad Street
New York, N.Y. 10004
(212) 549-2633

February 17, 2000

The American Civil Liberties Union (ACLU) is a nationwide, non-partisan organization of nearly 300,000 members dedicated to protecting the principles of liberty, freedom and equality set forth in the Bill of Rights to the United States Constitution. For almost 80 years, the ACLU has sought to preserve and strengthen privacy in all aspects of American life.

Long concerned about the diminution of privacy in an electronic age, and recognizing the special sensitivity of medical records, the ACLU has repeatedly urged Congress to enact a comprehensive statutory scheme to protect the rights of individuals to shield their medical information from unauthorized disclosures. In the absence of congressional action, the ACLU welcomes federal regulatory activity to address the issue of medical records confidentiality.

Nonetheless, we are concerned about aspects of the proposed regulations published in the Federal Register on November 3, 1999 (64 Fed. Reg. 59918-60065) by the Department of Health and Human Services (HHS). We recognize this proposal as an important step in the process that we hope will lead to comprehensive medical privacy protections, but we strongly urge that the regulations be strengthened. We especially urge improvements in the rule’s treatment of four core issues: (1) law enforcement access to medical records; (2) creation of government health data systems; (3) the absence of a requirement for patient authorization before medical records are used for purposes of treatment, payment and health care operations; and (4) medical privacy issues of special concern to women, including the protection of reproductive rights.

A central theme of our comments and suggestions is that patients need to be protected from invasions of their privacy by the government, not just by corporations. In general, the proposed rule does a good job of shielding private health information from disclosure to marketers and other commercial entities, but does not adequately guard against invasive data collection by government agencies, including law enforcement agencies. Government itself can pose a serious threat to the confidentiality of the doctor-patient relationship.

I. Structure of these Comments

This cover document presents the ACLU’s view of the need for medical privacy protections, highlights our most pressing concerns about the proposed regulations, and flags several other issues in the proposed rule that we regard as significant. Attached to this document are a series of single-spaced documents, each commenting in greater detail on a specific aspect of the proposed rule. We recognize that the Department of Health and Human Services (HHS) has requested that all comments be addressed to specific topics delineated in the Federal Register, but we believe it is also useful and appropriate to present this cohesive critique of the proposal in order to emphasize common themes that run through our more specific comments.^*

II. The Need for Medical Privacy Protections

Advances in technology have brought about a revolution in every aspect of health care, including the manner in which medical information is maintained and disseminated. Today, medical data can be collected, combined, collated, analyzed and distributed faster and easier than ever before. Huge quantities of health-related information can be stored electronically and transmitted across the country and around the globe with the click of a computer mouse. Much of this electronic activity benefits individual patients and facilitates public health efforts as well. But, like many technological advances, society’s increased reliance on computerized medical records presents significant challenges to privacy.

In the absence of legal safeguards, computer technology allows for virtually unlimited access to medical records without the knowledge or consent of the patient whose records are accessed. Health care providers are generally motivated to gather and share such information to improve the quality of care. But other entities may gather medical information for commercial and other non-medical purposes: pharmaceutical companies may want to solicit potential new customers, insurance companies may want to insure healthy policy holders and avoid unhealthy ones, employers may want to avoid hiring or keeping unhealthy employees on the payroll, and law enforcement agencies may be tempted to view computerized medical records as a vast new centralized data base to search for clues to crime.

These illegitimate uses of medical information undermine the trust that is a fundamental component of the doctor-patient relationship. Medical records contain particularly sensitive and intimate information, and patients are susceptible to humiliation and discrimination in the event information from their medical records is improperly disclosed. Privacy is valuable in all aspects of our lives, but in the health care context it can literally be a matter or life or death.

In congressional testimony and elsewhere, the ACLU has set forth numerous instances in which individuals’ medical records have been used for purposes that do not benefit -- and indeed may harm -- the patient whose records are used. These breaches of privacy occur because individuals often do not physically possess their medical records; rather such records are in the possession of doctors, insurance companies, employers or, increasingly, data warehouses. In our legal system, as a general matter, property owned by an individual may not be used by a custodian of the property for any purpose without the owner’s consent, and certainly not for a purpose that would harm the owner. But current law does not adequately recognize a patient’s "ownership" of his or her medical records.

The ACLU believes that patients own their medical information, and that health care providers or insurance companies who maintain records containing that information should be viewed as custodians of the patients’ property. We believe that medical records in the possession of health care professionals or third party payors are like client files in the possession of attorneys. The patient or the client retains ultimate control over the disclosure of information in their records. It follows that patients should reasonably expect that their personally identifiable health information will not be disclosed to anyone unless they have given specific and express written consent, and that their health information will be protected from unauthorized access to the fullest extent practicable.

These straightforward objectives are elusive because the United States lacks a coherent and consistent medical privacy policy. A patchwork of state laws affords varying levels of protection to citizens in some jurisdictions. That is insufficient. A nationwide law is needed to establish a baseline of medical privacy protections at the dawn of the digital communication age.

Congress itself has recognized the need for federal action. The Health Insurance Portability and Accountability Act of 1996 included a provision setting an August 1999 deadline for enactment of a comprehensive medical privacy law, and authorizing the Secretary of Health and Human Services to promulgate medical privacy regulations if Congress does not act by that date. Despite consideration of several bills, including one endorsed by the ACLU (S. 573, sponsored by Senators Leahy, Kennedy, Daschle and Dorgan), Congress has not acted. HHS has now exercised its statutory authority to propose regulations, and it is with respect to this proposed rule that we offer comments at this time.

III. Overview of Key ACLU Concerns

There are numerous aspects of the regulatory proposal that we believe should be strengthened. Our concerns in four areas are so acute that we will single them out in this overview document and also separately address them in the specific comments appended hereto in order to comply with the request of HHS that comments be segregated by subject matter. These four areas are: (1) law enforcement access to medical records; (2) governmental data systems; (3) patient authorization; and (4) women’s rights, including reproductive privacy.

The first two of these four major concerns are subjects with respect to which HHS has proposed exceptions to the general principle that medical information is private and may not be disclosed to third parties without a patient’s consent. The HHS proposal contains a series of such exceptions, each of which, viewed in isolation, may be understandable. But taken as a whole, the proposal consists of so many opportunities for disclosure as to call into question the presumption of privacy underlying the entire regulatory effort.

This is particularly true with regard to HHS’s treatment of government access to medical data. In general, the proposal does a good job of shielding medical information from disclosure for unauthorized commercial purposes. But the rule is less vigilant against the accumulation of medical information by government agencies. Exceptions for law enforcement access, government health data systems, health oversight, public health and others combine to permit government agencies to obtain health information without patient consent and with insufficient limits on the use of the information by the agency.

For many patients, the fear of government access to private medical information has the same chilling effect as the fear of commercial access. In fact, many Americans regard the government as more of a threat to liberty than the private sector. This proposed rule is animated by the goals of enhancing patient trust and reducing privacy protective behaviors, but the erosion of trust and the avoidance of treatment are equally evident when medical privacy is breached by the government as by private entities.

If these exceptions for government access are to remain, we urge that they be crafted more narrowly. Indeed, every exception to the general principle of non-disclosure should be drawn as narrowly as possible in order to effectuate the rule’s broader goals.

A. Law enforcement access to medical records

In September, 1997, pursuant to statutory direction, HHS submitted recommendations to Congress regarding medical privacy that included a proposal for virtually unfettered law enforcement access to medical records. Roundly criticized for this proposal by the ACLU and many other organizations, HHS has now proposed a regulation that appears to establish limits on law enforcement access, but those limits are illusory and establish no meaningful legal process. Indeed, as drafted, the rule contains gaping loopholes that permit computerized medical records to be used as a vast centralized police database. Medical records of ordinary law-abiding Americans must not be treated like mug shots, fingerprints or other current databases compiled from convicted criminals.

Earlier, we expressed our view that patients own their medical information. Consistent with this position, we believe that government agents should be required to obtain judicial approval under a meaningful probable cause standard before they are granted access to a patient’s medical records in the custody of a third party such as a doctor or an insurance company. If an individual happens to keep his medical records in a desk drawer in his home, the police are required to obtain a search warrant from a neutral magistrate based on a showing of probable cause before entering the home and seizing the records. The individual’s privacy interest in those records is no less compelling because his records are stored in his doctor’s office.

Some courts have, in fact, identified a patient’s constitutional right to privacy in medical records held by third parties. See, e.g., Commonwealth v. Riedel, 539 Pa. 172, 651 A. 2d 135 (1994) (interpreting US Constitution); State v. Nelson, 283 Mont. 231, 941 P.2d 441 (1997) (interpreting Montana Constitution). But whether or not a constitutional right exists under these circumstances, we believe federal policy makers should adopt a Fourth Amendment-like standard to govern law enforcement access to medical records in order to enhance patient privacy and engender trust in the doctor-patient relationship.

Congress has already extended Fourth Amendment-like protection to the contents of electronic communications (18 U.S.C. § 2703), information pertaining to video rentals (18 U.S.C. § 2710), and subscriptions to cable programming (47 U.S.C. § 551). Medical records are at least as deserving of privacy as stored e-mails, and certainly more sensitive and intimate than video rental records and cable subscription information. Statements made to a health care provider during the course of medical treatment should receive no less statutory protection than current federal law already provides for these other everyday transactions.

Of course there are occasions when the police will have a compelling need to obtain medical records. The Fourth Amendment is not a bar to police investigations, but rather balances the interests of individuals to be secure in their personal papers and effects on the one hand, and the legitimate needs of law enforcement officials on the other. Unfortunately the proposed rule does not reflect that balance. The rule does not require review by a neutral magistrate who could balance these interests, and in any event the legal standard established in the rule does not call for such a balancing test.

In our specific comments, attached, we propose changes to address the following six flaws in this portion of the rule.

First, there is no requirement of judicial review. The regulations give law enforcement agencies the choice of obtaining records pursuant to a warrant or court order (both reviewed by a neutral judge), a grand jury subpoena (typically issued by a prosecutor in the name of the grand jury), or an administrative subpoena, summons or civil investigative demand – all legal instruments issued without judicial review. Naturally law enforcement agents, especially in the pre-indictment stage of an investigation, will choose the least restrictive means of obtaining records, those that do not require review by a judge or prosecutor. Thus, under these rules, law enforcement agents may simply issue written demands to doctors, hospitals and insurance companies to obtain patient records. Since police are engaged in what Justice Cardozo called the "often competitive enterprise of ferreting out crime," Johnson v. United States, 333 U.S. 10 (1948), they cannot be expected to balance neutrally the competing goals of privacy and law enforcement.

Second, even when judicial review is sought, the legal standard under which it will be evaluated is inadequate. Under the regulations, the written demand would need to assert probable cause that the records are: (1) "relevant and material to a legitimate law enforcement inquiry"; (2) "specific and narrowly drawn as is reasonably practicable"; and (3) "de-identified information could not reasonably be used." This standard falls short of the traditional probable cause standard (probable cause to believe that the records contain evidence of a crime) and do not call for a balancing of the interests of law enforcement and privacy such as the test in the pending Leahy-Kennedy bill (S. 573) ("need for the information outweighs the individual’s privacy interests"). The bar is set too low to protect privacy.

Third, the regulations do not require that the individual whose records are about to be searched receive notice of the search and an opportunity to contest its validity. Such notice is consistent with notions of due process in our adversarial system of justice, and is commonplace in other privacy statutes such as the Right to Financial Privacy Act. If there is any risk that notice to the individual would lead to destruction of the records, waiver of the notice requirement could be permitted. But in an ordinary investigation, notice is appropriate, fair and not unduly burdensome.

Fourth, the proposal contains an overbroad identification exception. Section 164.510(f)(2) allows for release of patient information anytime the police are trying to identify a suspect or fugitive. This overbroad exception turns all computerized medical records into a huge database through which the police may browse to seek matches for blood, DNA or other personally identifiable health traits. Nothing in this section requires that law enforcement demands be specific or narrowly drawn. Dragnet searches of this kind are currently used to search through mug shots or fingerprints (or increasingly DNA banks) of convicted criminals. But those data banks exist because criminals have a diminished expectation of privacy following conviction. In contrast, the medical records of law-abiding citizens are not – and should not become – a police database.

Fifth, the regulations contain blanket exceptions to the minimal procedural requirements applicable to most law enforcement agencies for intelligence and national security activities, including most activities of the Secret Service. Current law already provides special procedures for intelligence gathering activities, but there is no precedent in the U.S. Code for a blanket exemption from lawful procedures for agencies engaged in domestic law enforcement. Under these regulations, for example, the Secret Service could demand the complete medical records of all individuals receiving any mental health service in a particular community without demonstrating that any particular individual poses a threat to a government official. Granting any law enforcement agency such carte blanche authority is entirely unjustified.

Sixth, evidence obtained in violation of the legal standards in the regulation should be inadmissible at trial. We are mindful that HHS may not have statutory authority to mandate an exclusionary rule, since courts are not among the entities covered by the regulation pursuant to HIPAA. But there is no doubt about the authority of a court to enforce the legal requirements of the rule by excluding improperly obtained evidence, since courts have inherent authority to fashion remedies for violation of legal rules. Indeed, many courts apply such a rule now. See, e.g., Commonwealth v. Shaffer, 714 A.2d 1035 (Pa. 1998) (suppressing evidence obtained as the result of a warrantless search of defendant’s medical records); Illinois v. Wilber, 279 Ill. App. 3d. 462 (1996) (permitting introduction of evidence obtained from defendant’s medical records where law enforcement had complied with statutory provisions for the release of the information). While not legally binding, HHS should endorse this approach to enforcement in the preamble to the regulations.

Some may suggest that the changes we propose in this area will hinder the ability of law enforcement officers to apprehend criminals. But experience demonstrates that law enforcement can function very effectively within a probable cause framework. Respect for the Fourth Amendment and the privacy values it embodies does not unduly hamper police and prosecutors; indeed, the exercise of prosecutorial and police power within rules that protect privacy actually increases citizen trust in law enforcement and encourages law abiding behavior. When law enforcement officers are seen as overzealous or overly intrusive, the breakdown in trust and cooperation between government and its citizens has a corrosive and dangerous effect on police and prosecutorial effectiveness.

In any event, privacy is itself a value, however intangible, that civilized society must nurture and protect even at the expense of efficient law enforcement. The police would catch more criminals if they could search citizens without cause on the streets and in their homes. But that is not the constitutional system that the Founding Fathers bequeathed to us, and thankfully not.

B. Government Health Data Systems

The proposed regulations include an overbroad exception for data systems maintained by the government itself. Under section 164.510(g) of the rule, the privacy protections applicable to the disclosure of medical records generally would not apply when health care providers disclose records to government agencies or private entities acting on behalf of government agencies for use in a government health data system. HHS states that the exception is necessary to support "policy, planning, regulatory, or management functions authorized by law," but the regulations are formulated so broadly that virtually any compilation of data by the government would be covered. Patients would receive no notice and no opportunity to object when their personal medical information is provided to federal, state or local agencies.

Government data systems are notoriously susceptible to expansion and abuse. Officials may collect information for entirely benign goals, but once the data are collated and stored there is a temptation for the information to be used for invasive and illegitimate purposes. A recent example arose in New York City, where the Mayor has proposed mining government health records to determine whether welfare recipients are substance abusers. Similarly, the furor surrounding the Health Care Financing Administration’s OASIS program demonstrates the public’s distress at open-ended, intrusive collection of medical data by government agencies, however well-intentioned those agencies may be. Other misuses of government-collected data are described in a report prepared by the American Civil Liberties Union of Wisconsin entitled In the Balance: State Government and Medical Records Privacy (1998).

In our specific comments, we urge that HHS narrow or eliminate this exception. There are other exceptions in the regulations (e.g., the public health exception) that provide sufficient authority for government agencies to obtain needed data. This open-ended, broadly worded exception creates the potential for vast computerized data bases of citizens’ records and undermines the goal of medical privacy. Indeed, this provision interacts dangerously with the overbroad exception for law enforcement access (§ 164.510(f)) because nothing in the proposed rule would prevent the creation of a police data base of the type we fear.

C. Patient Authorization

The proposed regulations contain a significant omission: there is no requirement that a doctor obtain a patient’s authorization before using the patient’s medical records for treatment, payment or health care operations.

If it is true, as we contend, that patients maintain an ownership interest in their health information, it follows that medical records containing that information should not be used for any purpose without the patient’s consent. The proposed regulations do require patient authorization when medical records are disclosed for purposes other than treatment, payment and health care operations. But if it is practical and appropriate to obtain authorization in those circumstances, it is practical and appropriate to obtain authorization right from the start of the doctor-patient relationship.

To be sure, most patients would readily authorize the disclosure of their records for treatment and payment, but some patients might want to place conditions on the use of especially sensitive information for non-essential purposes. Other patients may decide not to be treated by a doctor whose disclosure practices are too broad. And many patients would be skeptical about the use of their private medical information for nebulous "health care operations" purposes. A requirement that doctors seek authorization provides an opportunity for patients to consider these important questions and, if necessary, negotiate the terms under which records may be disclosed.

Under current practice, doctors routinely ask patients to sign a form that provides notice about the disclosure of records and gives the patient an opportunity to authorize that disclosure. It is true that the proposed regulations require that a patient receive notice of the extent to which his or her medical information will be disclosed to others, but notice and consent are not the same. The regulations are a step backwards from current practice because they require only notice and not consent.

We urge that the final regulations include a requirement that patients sign an authorization form before personal information is transmitted, even for treatment, payment or health care operations.

D. Women’s Rights

The ACLU is very concerned about a cluster of medical privacy issues of special concern to women, including some that implicate reproductive freedom. While we are pleased with HHS’s resolution of certain key controversies in this area, we believe that the regulations should ensure the confidentiality of all sensitive health services, including reproductive health services, for adults and minors alike, and protect victims of domestic violence from disclosures that may endanger their safety. To accomplish these vital goals, our specific comments recommend the following changes:

First, the definition of "individual" should be modified to give minors exclusive control over their own health information whenever they lawfully obtain a health service without parental consent and whenever a parent assents to a minor's confidential relationship with a health provider. Minors should not be compelled to surrender such control when they voluntarily involve their parents in their health care decisions, without a legal obligation to do so. And, in situations where the minor does not exercise exclusive control, the regulation should provide

a mechanism whereby adolescent patients and their parents can exercise concurrent control over the minors' health information. State laws that are contrary to these rules and less protective of a minor's privacy should be preempted.

Second, the regulation should add a definition of sensitive health services that includes reproductive health care and services related to sexually transmissible diseases. A separate, individual authorization should be required whenever information about such services is sent to an individual's home, whether for billing, appointment confirmations, explanations of benefits, or any other purpose. Individuals must be secure in their right to decide whether their roommates, housemates, or family members learn of their sensitive medical conditions.

Third, the regulation must ensure that victims of domestic violence are not endangered by unwarranted disclosures of their health information. The regulation should give health

care providers greater discretion to deny access to the health records of a minor or other dependent person when the provider has reason to believe that the parent or other legal representative requesting the information may harm the patient. Similarly, the regulation must give individuals a real and binding right to restrict disclosures when they certify to their health care providers that the disclosure would endanger their safety.

IV. The Importance of Non-Preemption

Despite the foregoing concerns, we support this regulatory process for one important reason: whatever its flaws, the proposed rule represents an improvement over the status quo. That is true because (1) except in the substance abuse field, there are no medical privacy protections in current federal law and these regulations would establish at least baseline protections; and (2) the proposed rule does not preempt state laws that provide greater privacy protections. Preemption, then, is central to the ACLU’s approach to these regulations, and merits discussion in this overview of the ACLU’s position.

The 1996 law authorizing HHS to promulgate a medical privacy rule dictates a policy under which the federal rules will preempt weaker state laws but not preempt more stringent state laws. It has been argued by the insurance industry and others that blanket preemption of state medical records privacy laws is necessary to avoid confusion over which state law applies in an era of nationwide health care plans and insurance companies. But that problem is solved by the principle that patients own their own health information; the domicile of each patient serves as a concrete reference for the determination of whether additional privacy protections enacted by a particular state would apply. Each state should remain free to address privacy needs that may rise in the future. These federal rules serve as a floor – but not a ceiling – of privacy protections.

In our specific comments, we suggest two important changes that would strengthen HHS’s approach to preemption. First, we urge that the process by which a state would apply to HHS for a waiver to maintain a law that is arguably weaker than the federal rules be tightened. Such waivers should not be readily granted. Second, we urge deletion of § 164.510(n), which would allow a covered entity to use or disclose protected health information without individual authorization "where such use or disclosure is required by law and the use or disclosure meets all relevant requirements of such law." This section is broadly written and could apply to a variety of state laws that are contrary to the proposed rule and less protective of privacy.

Despite these flaws, we do not understand the proposed regulations to impede efforts to protect medical privacy at the state level. If the final rule were to further restrict the authority of states to enact patient protections, we would oppose it.

V. Conclusion

Policymakers at the Department of Health and Human Services deserve commendation for their hard work in drafting this medical privacy rule, and the regulatory effort in which they are engaged holds great promise. While the American Civil Liberties Union remains deeply concerned about key aspects of the proposed regulations, we offer these comments and suggestions in the hope that the final regulations will fulfill that promise and establish in federal law for the first time meaningful medical privacy protections.

Click here for additional notes.

* A number of the specific comments attached to this document are drawn from or even duplicate (with permission) comments submitted to HHS by the Consortium of Citizens with Disabilities, the Institute for Health Care Research and Policy, the National Partnership for Women and Families and other groups. We wish to acknowledge our reliance on the work of these and the other organizations with which we have consulted. We also wish to emphasize that the adoption of some, but not all, of the comments of these groups should not be interpreted as disagreement with other comments of theirs which we have not so adopted.