HIPAA and Homeland Security: Can they coexist?

Medical privacy protections, so stringently enforced under HIPAA, are being eroded, critics charge. And the culprit is the government itself.

By Wayne J. Guglielmo
Senior Editor

Medical privacy and efforts to combat terrorism at home may be on a collision course, say critics from across the political spectrum.

They worry that, at the very moment the government, through HIPAA, is imposing new medical privacy rules on doctors and other "covered entities," it's granting itself greater access to restricted data in the name of homeland security. "We're opening the spigots without the controls you'd expect to have in place to maintain security and confidentiality of data," says Peter P. Swire, President Clinton's point man on privacy and HIPAA, and currently professor of law at Ohio State University's Moritz College of Law.

Swire's concerns are shared by individuals and organizations at both ends of the political spectrum. But not everyone sees things as the critics do. Those who reject the "alarmist" rhetoric say that officials have given themselves very few new surveillance powers and that, if anything, the various systems now in place contain more checks and balances than ever before.

We took a closer look at both sides of the debate to help you decide.

A HIPAA "loophole" raises concerns

While disclosure of medical information for public health and other purposes existed before HIPAA, the privacy rulemakers went out of their way to reaffirm established disclosure laws.

They did so through a series of 12 "exceptions" to HIPAA that permit—but don't require—doctors and others to turn over medical records to the government without prior patient authorization. Among these is one that involves police and law-enforcement activities aimed at identifying or locating a particular criminal suspect. (Broader law-enforcement disclosures may be compelled by a court order or subpoena.) Another involves federal intelligence activities authorized by the National Security Act of 1947. And still another concerns the work of public health agencies as they track or respond to emerging health threats, including bioterrorism.

Each of these disclosure exceptions is subject to restrictions. In the area of public health, for instance, the agency requesting the information must provide evidence of its authority and explain the purpose of its request. A doctor or other covered entity, in turn, must typically limit the amount of information he discloses to what is minimally necessary to achieve the agency's goal.

"There are real limits here, which the covered entity, who's subject to our authority, must engage in," says Richard Campanelli, director of HHS's Office for Civil Rights, the government's top HIPAA privacy enforcement official.

But, in most cases, the agency that receives the data isn't subject to government authority under HIPAA. Once it receives the protected information, HIPAA doesn't—indeed, can't—restrict redisclosure. That fact concerns people like Peter Swire, who thinks that, in post-Sept. 11 America, public health agencies may feel pressured by state and federal surveillance authorities to turn over data in the name of preventing terrorism. "Every pharmacy record, every ED admission might be a potential red flag to new terrorist activity," he says. "This is the public health loophole that would permit the government to get massive numbers of records, even with HIPAA in place."

The AMA has also expressed its concern "about the lack of safeguards to prevent government agencies from wrongfully disclosing or misusing confidential and private health information." It called upon Congress to "expand privacy requirements to all entities that maintain individually identifiable health information."

OCR chief Campanelli points out that "many law enforcement and public health authorities are also subject to separate laws—at the state or other levels—that regulate how they maintain and distribute information." These officials "are quite careful about how they use information," he says, because they're as concerned as anyone to demonstrate that they're using it appropriately.

New state laws erode patient trust

The Model State Emergency Health Powers Act, drafted with federal funding after Sept. 11, is the template for many of the state laws that address disclosure of health information.

In the event of a bioterrorist attack or other health threat, the model act grants state governors and public health authorities the power to access protected health information, to isolate and quarantine individuals at risk of spreading infectious disease, and to enforce mandatory reporting by physicians and other healthcare professionals.

To date, 32 states and the District of Columbia have passed bills that include one or more of these and other model provisions. Eight of these new laws contain provisions relating to access to health data; 21 contain isolation and quarantine language; and 18 mandate physician reporting, with penalties for failure to report.

"We're concerned not only about the privacy implications, but about the ability of the state to use force to get people to do whatever the governor's designee orders, which might be quite misguided," says Tucson internist Jane M. Orient, executive director of the Association of American Physicians and Surgeons, a group opposed to intrusion of all kinds in the doctor-patient relationship.

In Minnesota—where a version of the model act passed last year—privacy advocates are similarly worried. "The entire health system is being jeopardized by the state and federal governments' wish to mine things that might be a terrorist threat," says Twila Brase, RN, president of the Citizens' Council on Health Care, which describes itself as a "free-market resource for designing the future of health care." In the process, says Brase, the government is undermining patient trust in the system—and in doctors. In time, "patients will consider physicians the conduit of data to the government," she says.

The Minnesota Medical Association supported the legislation once its concerns had been addressed. "We're supportive of patient privacy," says spokesperson Lorrie Holmgren, "but if individual identity is protected, we think public health concerns can be met without compromising patient confidentiality."

Lisa Speissegger, a public health adviser with the National Conference of State Legislatures, agrees, adding: "In terms of abuse, the potential has always been there. It hasn't disappeared to anybody's satisfaction, but HIPAA and the model act haven't exacerbated the problem, either."

Other privacy threats on the horizon?

The fears of government snooping aren't likely to go away, however.

The first USA PATRIOT Act was passed overwhelmingly by Congress in the month following Sept 11. Now the draft of Patriot II, as it's been dubbed, is raising new concerns. Among other things, it would permit the government, without a court order, to collect and electronically store DNA information for the purposes of "detecting, investigating, prosecuting, preventing, or responding to terrorist activities."

Of equal concern to many on both the left and the right is the Department of Defense's renamed Terrorism Information Awareness Program. (The DOD's first attempt—the Total Information Awareness Program—was given the cold shoulder by Congress.) In its report to Congress this May, the DOD acknowledged that implementation of some of its components "may raise significant and novel privacy and civil liberties policy issues." The impact on HIPAA—and the privacy rules in particular—would be one, officials said.

Doctors aren't crazy about HIPAA, to be sure. And many would undoubtedly be willing to sacrifice a measure of privacy for legitimate efforts to combat terrorism. But if they believe the government is snooping unnecessarily into their own lives or those of their patients, they certainly won't be happy.

Will this spur them to action? Peter Swire thinks it just may: "I think this issue is already starting to get more attention as doctors realize that the public health system is at risk of being hijacked by the surveillance police."

 

Wayne Guglielmo. HIPAA and Homeland Security: Can they coexist? Medical Economics Dec. 19, 2003;80:32.