Privacy Cagematch—DHS vs. HHS

OK, this post gets a big IANAL stamped across it. I don’t know the legal ins and outs here (and I’m not sure if anyone does), but the new announcement by the Department of Homeland Security (DHS) regarding laptop computers puts physicians and other health care providers in a bit of a spot.

HIPAA (the Health Insurance Portability and Accountability Act) is the law that governs the privacy of your medical information. It is very, very detailed, and requires quite a bit from your doctor. You’ve signed a form at the office of every provider you’ve visited that notifies you of your privacy rights. I cannot discuss your care in a hospital elevator. I can’t send you an email regarding your health without making it very clear that any information in the email cannot be considered secure. I cannot disclose your health information to anyone else except under very specific and limited circumstances. HIPAA has radically changed the way we do things with health information (sometimes for the better, sometimes not).

Moving on to Homeland Security—DHS agents may, for any reason or none at all, seize my laptop and demand any security or encryption codes. My laptop not infrequently contains information covered by HIPAA (known as PHI, or Protected Health Information). Because of that, my laptop is secured via HIPAA-compliant security measures. Under the new DHS guidelines, I can be required to hand over my laptop and help officers access the information without any suspicion of wrong-doing. We have a little problem here…

HIPAA is often wrongly invoked. For instance, when I call another doctor’s office to get information on a shared patient, the secretary will sometimes ask me for a HIPAA form signed by the patient before they give me the information. This is an incorrect application of HIPAA. The law is not designed to impede the treatment of patients. Specifically:

Permitted Uses and Disclosures. A covered entity is permitted, but not required, to
use and disclose protected health information, without an individual’s authorization,
for the following purposes or situations: (1) To the Individual (unless required for
access or accounting of disclosures); (2) Treatment, Payment, and Health Care
Operations;
(3) Opportunity to Agree or Object; (4) Incident to an otherwise
permitted use and disclosure; (5) Public Interest and Benefit Activities; and(6) Limited Data Set for the purposes of research, public health or health care
operations.18 Covered entities may rely on professional ethics and best judgments in
deciding which of these permissive uses and disclosures to make.

Now, running my office and taking care of patients is about as far as my knowledge goes. What happens when an armed government agent asks me to turn over protected health information?

HIPAA has a few clauses that are ambiguous to me as a doctor, specifically “Public Interest and Benefit Activities”. The big get-out-of-jail free card is this one:

Required by Law. Covered entities may use and disclose protected health
information without individual authorization as required by law (including by statute, regulation, or court orders).

Given that this clause seems to say the government can make me give out your info at any time (but in a legal context), what else does the Public Interest Clause say?

Once again, here’s a big hunk of relevant legal words:

Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under
the following six circumstances, and subject to specified conditions: (1) as
required by law (including court orders, court-ordered warrants, subpoenas)
and administrative requests; (2) to identify or locate a suspect, fugitive,
material witness, or missing person; (3) in response to a law enforcement
official’s request for information about a victim or suspected victim of a
crime; (4) to alert law enforcement of a person’s death, if the covered entity
suspects that criminal activity caused the death; (5) when a covered entity
believes that protected health information is evidence of a crime that
occurred on its premises; and (6) by a covered health care provider in a
medical emergency not occurring on its premises, when necessary to inform
law enforcement about the commission and nature of a crime, the location of
the crime or crime victims, and the perpetrator of the crime.34

Given that agents can seize your records from me without suspecting anything, I’m not sure how any of this possibly applies.

It’s time for HHS and DHS to get together and make a few clarifications for us, before we all have to further enrich our lawyers. Better yet, perhaps the ACLU could get together with other groups of converging interests and fight DHS on this one.

It’s not just your laptop you should be worried about—it’s also mine.