Privacy Cagematch—DHS vs. HHS

OK, this post gets a big IANAL stamped across it. I don’t know the legal ins and outs here (and I’m not sure if anyone does), but the new announcement by the Department of Homeland Security (DHS) regarding laptop computers puts physicians and other health care providers in a bit of a spot.

HIPAA (the Health Insurance Portability and Accountability Act) is the law that governs the privacy of your medical information. It is very, very detailed, and requires quite a bit from your doctor. You’ve signed a form at the office of every provider you’ve visited that notifies you of your privacy rights. I cannot discuss your care in a hospital elevator. I can’t send you an email regarding your health without making it very clear that any information in the email cannot be considered secure. I cannot disclose your health information to anyone else except under very specific and limited circumstances. HIPAA has radically changed the way we do things with health information (sometimes for the better, sometimes not).

Moving on to Homeland Security—DHS agents may, for any reason or none at all, seize my laptop and demand any security or encryption codes. My laptop not infrequently contains information covered by HIPAA (known as PHI, or Protected Health Information). Because of that, my laptop is secured via HIPAA-compliant security measures. Under the new DHS guidelines, I can be required to hand over my laptop and help officers access the information without any suspicion of wrong-doing. We have a little problem here…

HIPAA is often wrongly invoked. For instance, when I call another doctor’s office to get information on a shared patient, the secretary will sometimes ask me for a HIPAA form signed by the patient before they give me the information. This is an incorrect application of HIPAA. The law is not designed to impede the treatment of patients. Specifically:

Permitted Uses and Disclosures. A covered entity is permitted, but not required, to
use and disclose protected health information, without an individual’s authorization,
for the following purposes or situations: (1) To the Individual (unless required for
access or accounting of disclosures); (2) Treatment, Payment, and Health Care
Operations;
(3) Opportunity to Agree or Object; (4) Incident to an otherwise
permitted use and disclosure; (5) Public Interest and Benefit Activities; and(6) Limited Data Set for the purposes of research, public health or health care
operations.18 Covered entities may rely on professional ethics and best judgments in
deciding which of these permissive uses and disclosures to make.

Now, running my office and taking care of patients is about as far as my knowledge goes. What happens when an armed government agent asks me to turn over protected health information?

HIPAA has a few clauses that are ambiguous to me as a doctor, specifically “Public Interest and Benefit Activities”. The big get-out-of-jail free card is this one:

Required by Law. Covered entities may use and disclose protected health
information without individual authorization as required by law (including by statute, regulation, or court orders).

Given that this clause seems to say the government can make me give out your info at any time (but in a legal context), what else does the Public Interest Clause say?

Once again, here’s a big hunk of relevant legal words:

Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under
the following six circumstances, and subject to specified conditions: (1) as
required by law (including court orders, court-ordered warrants, subpoenas)
and administrative requests; (2) to identify or locate a suspect, fugitive,
material witness, or missing person; (3) in response to a law enforcement
official’s request for information about a victim or suspected victim of a
crime; (4) to alert law enforcement of a person’s death, if the covered entity
suspects that criminal activity caused the death; (5) when a covered entity
believes that protected health information is evidence of a crime that
occurred on its premises; and (6) by a covered health care provider in a
medical emergency not occurring on its premises, when necessary to inform
law enforcement about the commission and nature of a crime, the location of
the crime or crime victims, and the perpetrator of the crime.34

Given that agents can seize your records from me without suspecting anything, I’m not sure how any of this possibly applies.

It’s time for HHS and DHS to get together and make a few clarifications for us, before we all have to further enrich our lawyers. Better yet, perhaps the ACLU could get together with other groups of converging interests and fight DHS on this one.

It’s not just your laptop you should be worried about—it’s also mine.


Comments

  1. You might want to see if the EFF (www.eff.org) has anything to say on this issue. They are already fighting this, but perhaps they haven’t heard of this specific issue yet.

  2. Scott M.

    PalMD, A couple of things that may add to this discussion.

    First, encrypt your laptop and all the drives you stick into it including your usb jump drives, SD cards you use in your camera, EVERYTHING! One of the best open source and free programs for doing this is TrueCrypt. It can be found here:
    http://www.truecrypt.org/

    It has the ability to completely encrypt your Windows hard drive so all temporary files, histories, etc., cannot be recovered! It does it seamlessly and in the background. I’ve done it and it works wonderfully. A version can also be obtained for Linux but in general, if you want your linux computer encrypted, you have to wipe the disk and encrypt it from the get-go.

    Get PGP or GPG (free and open source) and learn how to use it! Get a good password too. I’d recommend a favorite phrase or motto that you can either ROT 13 or run through the picket-fence cipher. This means you have a “hard” pass-phrase that’s easy to re-create even if you don’t want to bother actually remembering it.

    For example, the phrase “I write for denialism blog” is a good phrase when ROT13 becomes “V jevgr sbe qravnyvfz oybt” or “Iwiefrdnaimbo rt o eils lg” when run through a picket-fence.

    A judge has ruled you do NOT have to give up your password but that is on appeal I think. See the story at:
    http://tinyurl.com/5uk9oe

    This ruling may hinge on your willingness to cooperate in the first place. A good defense is to have an excuse handy. They ask what’s the password, you reply something like, “I don’t know. This is my boss’s work computer. I’m just lugging it about for the lazy bastard.”

    Keep encrypted back-ups at home and be prepared to walk away completely from the computer or device if it’s confiscated. Don’t ask for it back. Just report it stolen to your insurance company and hope to get a replacement.

    Use a laptop. It makes installing keylogging keyboards more difficult. See the following link to better understand what I mean.
    http://www.keyghost.com/

    Check your keyboard connection routinely for those types of devices ESPECIALLY, and I cannot stress this enough, ESPECIALLY if using a public computer like at the library!

    Finally, the BEST defense against this type of unwarranted search and seizure is to elect progressives who take the Fourth Amendment seriously. Contact your current representatives and tell them this is completely unacceptable to you as a voting taxpayer.

    Gurl pnzr svefg sbe gur Pbzzhavfgf,
    naq V qvqa’g fcrnx hc orpnhfr V jnfa’g n Pbzzhavfg.

    Gura gurl pnzr sbe gur Wrjf,
    naq V qvqa’g fcrnx hc orpnhfr V jnfa’g n Wrj.

    Gura gurl pnzr sbe gur genqr havbavfgf,
    naq V qvqa’g fcrnx hc orpnhfr V jnfa’g n genqr havbavfg.

    Gura gurl pnzr sbe gur Pngubyvpf,
    naq V qvqa’g fcrnx hc orpnhfr V jnf n Cebgrfgnag.

    Gura gurl pnzr sbe zr,
    naq ol gung gvzr ab bar jnf yrsg gb fcrnx hc.

  3. dreikin

    Ek. Hadn’t even thought about that part of it yet (but then again, I’m currently preoccupied trying to factor semi-primes in a reasonable amount of time..). Like I said, I’m in the dark about most of this (not been paying much attention to the news), but does/could this include desktops? And what serves as (at least in your case) “HIPAA-compliant security measures”?

  4. While Scott M’s suggestions are mostly excellent, I’d like to add a couple of things:
    – You can encrypt your linux machine without reinstalling everything, provided you have enough spare space. Quite likely all you want to encrypt is your home directory, your swap, and maybe your temporary directory anyway. Bear in mind, though, that most solutions (such as encrypted loopback filesystems) have no conception of ‘logged in’, so they’re only safe from intruders when your computer is turned off or you’ve explicitly unmounted the encrypted drive.
    – Checking for keyloggers on public terminals gives a false sense of security – it’s trivial for someone to install keylogging software on such a terminal that will be literally impossible to detect given the access you have. I go one step further and never, ever log in to anything I care about from a public terminal; I’m reluctant to even do so from friends’ computers.

  5. The ACLU already is at least a little bit involved. They’ve put together a website that makes it really easy to email your congresscritter about this whole ignore-the-fourth-amendment business. One letter will make no difference, but if congresscritters get a lot of letters from a lot of people unhappy about this, they might start to pay attention:

    https://secure.aclu.org/site/Advocacy?pagename=homepage&id=1009&page=UserAction&JServSessionIdr009=rv8wq6iqu2.app20a

  6. Your mentioning of HIPAA privacy requirements made me think of another.

    FERPA (Family Educational Right to Privacy Act).

    It would seem likely that anyone involved in teaching who uses a laptop would have grade information on their computers. So the same concerns about conflicting federal laws apply.

  7. Of course, I hope your data is a bit more obscured, Scott.

  8. Scott M.

    Brian,
    It is. I just threw that in there to force the newbies (I’m almost medium) to work a little to get some idea of what is out there, etc. Easier than me trying to explain ROT 13.

    I should have posted this one though:
    Gur evtug bs gur crbcyr gb or frpher va gurve crefbaf, ubhfrf, cncref, naq rssrpgf, ntnvafg haernfbanoyr frnepurf naq frvmherf, funyy abg or ivbyngrq, naq ab Jneenagf funyy vffhr, ohg hcba cebonoyr pnhfr, fhccbegrq ol Bngu be nssvezngvba, naq cnegvphyneyl qrfpevovat gur cynpr gb or frnepurq, naq gur crefbaf be guvatf gb or frvmrq.

  9. Nice.

  10. Mark Chu-Carroll has an article about this and currently is running a series of articles on how to protect oneself through encryption.

  11. Encryption isn’t really ideal, because the feds will simply demand you tell them the key. If you hand over the key, the encryption is of no use. If you refuse to hand over the key, then this is clear evidence that you are trying to hide something, so you can expect to have criminal charges of some kind filed. Not the full terrorism thing – you are just not worth the effort – but obstructing a federal agent or impeding airport security, perhaps. Refusing to supply evidence that can disprove their accusations is not going to be good for your defence.

  12. D. C. Sessions

    If you refuse to hand over the key, then this is clear evidence that you are trying to hide something, so you can expect to have criminal charges of some kind filed. Not the full terrorism thing – you are just not worth the effort – but obstructing a federal agent or impeding airport security, perhaps.

    The word from people who want their laptops back once they’ve been taken for “inspection” is that arguing just gets you a long interrogation. Long enough to make sure you miss your flight. You still don’t get the laptop back, of course.

    The best advice remains: if you don’t want it confiscated, don’t take it across a border. This includes everything: books, papers, telephones, cameras, computers, clothing. If you want to keep it confidential, don’t make an electronic record of it — because at present electronic records are not treated as having the same confidentiality as paper ones. (See current news from the Ninth Circuit, which has held that the State does not need a warrant to demand backup copies of your e-mail from mail service providers.)

    I’ll close with the observation that MDs have it relatively easy, since there’s no special requirement for them to carry medical records while traveling. Lawyers, on the other hand, must take materials with them while traveling to represent clients that they are also legally required to keep confidential.

  13. I am no lawyer, but just glancing at the link I didn’t see any reference to the nationality of the patient or the health care provider relating to keeping records confidential.

    Presumably a US doctor is still held to US law when traveling overseas relating to non-disclosure of medical records of a US patient.

  14. Darrell Pruitt

    All this talk convinces me not to participate in electronic health records for my dental practice. Thank goodness I still have that option. Darrell Pruitt DDS

  15. If it was me I would probably keep sensitive info online or log into my office computer and store it. If you have to travel and use that information, I have no good ideas. Join the ACLU and keep your card stuck your laptop.

  16. The courts have ruled time and time again that refusal to allow an official to look does not constitute probable cause.

    That said, may encourage you all, as I intend myself, to put your money where your mouth is. The ACLU, the EFF, and all of these people working to defend our rights can’t do so without whatever funding they can get. I’m a po’ lil’ college student, but I’ll give what I can, and I advise others to do the same.

    I have nothing on my computer that is incriminating or embarrassing but I’ve had my local ACLU office’s number on my cellphone for a while now, ’cause you never know.

  17. oscarzoalaster

    The problem with encryption is sending stuff to someone who does not have encryption. If I routinely encrypt things I make them so that they cannot be read by people without the ability to decrypt them – which will cut my email correspondence to zero.

  18. Scott M.

    Agreed oscarzoalaster.

    I’m thinking of encrypting my e-mail messages as plain text and including with the message my public key. If people want to read what I’ve got to say, they’ll finally take the time to get encryption. If not, maybe I should find more important things to say.

    As an aside, but along these lines. Firefox has a neat extension called Leetkey that allows you to encrypt stuff, do ROT13, translate stuff to Morse code, etc. Have a look!

    Take a swipe at this one Brian-

    nWVvrxsBITAhITAhLVkv2NsqZ0erx1/YLl1hR4Ut39Vd+K+9

  19. How is this all even vaguely constitutional? In fact, is it? Anyone out there willing to be a test case?

  20. This is not just about laptops:

    “The policies cover “any device capable of storing information in digital or analog form,” including hard drives, flash drives, cellphones, iPods, pagers, beepers, and video and audio tapes. They also cover “all papers and other written documentation,” including books, pamphlets and “written materials commonly referred to as ‘pocket trash’ or ‘pocket litter.’ “”

    From

    http://www.washingtonpost.com/wp-dyn/content/article/2008/08/01/AR2008080103030.html

  21. Luna_the_cat

    Actually, from my husband’s experience, if you have anything on your HD encrypted you pretty much guarantee that they will keep your laptop. They are allowed to, for as long as they feel like, basically.

    Consider this carefully.

Leave a Reply

Your email address will not be published. Required fields are marked *