Schneier on Security
A blog covering security and security technology.
« Accuracy of Commercial Data Brokers |
| TSA Abuse of Power »
June 7, 2005
U.S. Medical Privacy Law Gutted
In the U.S., medical privacy is largely governed by a 1996 law called HIPAA. Among many other provisions, HIPAA regulates the privacy and security surrounding electronic medical records. HIPAA specifies civil penalties against companies that don't comply with the regulations, as well as criminal penalties against individuals and corporations who knowingly steal or misuse patient data.
The civil penalties have long been viewed as irrelevant by the health care industry. Now the criminal penalties have been gutted:
An authoritative new ruling by the Justice Department sharply limits the government's ability to prosecute people for criminal violations of the law that protects the privacy of medical records.
The criminal penalties, the department said, apply to insurers, doctors, hospitals and other providers -- but not necessarily their employees or outsiders who steal personal health data.
In short, the department said, people who work for an entity covered by the federal privacy law are not automatically covered by that law and may not be subject to its criminal penalties, which include a $250,000 fine and 10 years in prison for the most serious violations.
This is a complicated issue. Peter Swire worked extensively on this bill as the President's Chief Counselor for Privacy, and I am going to quote him extensively. First, a story about someone who was convicted under the criminal part of this statute.
In 2004 the U.S. Attorney in Seattle announced that Richard Gibson was being indicted for violating the HIPAA privacy law. Gibson was a phlebotomist a lab assistant in a hospital. While at work he accessed the medical records of a person with a terminal cancer condition. Gibson then got credit cards in the patient’s name and ran up over $9,000 in charges, notably for video game purchases. In a statement to the court, the patient said he "lost a year of life both mentally and physically dealing with the stress" of dealing with collection agencies and other results of Gibson’s actions. Gibson signed a plea agreement and was sentenced to 16 months in jail.
According to this Justice Department ruling, Gibson was wrongly convicted. I presume his attorney is working on the matter, and I hope he can be re-tried under our identity theft laws. But because Gibson (or someone else like him) was working in his official capacity, he cannot be prosecuted under HIPAA. And because Gibson (or someone like him) was doing something not authorized by his employer, the hospital cannot be prosecuted under HIPAA.
The healthcare industry has been opposed to HIPAA from the beginning, because it puts constraints on their business in the name of security and privacy. This ruling comes after intense lobbying by the industry at the Department of Heath and Human Services and the Justice Department, and is the result of an HHS request for an opinion.
From Swire's analysis the Justice Department ruling.
For a law professor who teaches statutory interpretation, the OLC opinion is terribly frustrating to read. The opinion reads like a brief for one side of an argument. Even worse, it reads like a brief that knows it has the losing side but has to come out with a predetermined answer.
I've been to my share of HIPAA security conferences. To the extent that big health is following the HIPAA law -- and to a large extent, they're waiting to see how it's enforced -- they are doing so because of the criminal penalties. They know that the civil penalties aren't that large, and are a cost of doing business. But the criminal penalties were real. Now that they're gone, the pressure on big health to protect patient privacy is greatly diminished.
The simplest explanation for the bad OLC opinion is politics. Parts of the health care industry lobbied hard to cancel HIPAA in 2001. When President Bush decided to keep the privacy rule -- quite possibly based on his sincere personal views -- the industry efforts shifted direction. Industry pressure has stopped HHS from bringing a single civil case out of the 13,000 complaints. Now, after a U.S. Attorney’s office had the initiative to prosecute Mr. Gibson, senior officials in Washington have clamped down on criminal enforcement. The participation of senior political officials in the interpretation of a statute, rather than relying on staff attorneys, makes this political theory even more convincing.
This kind of thing is bigger than the security of the healthcare data of Americans. Our administration is trying to collect more data in its attempt to fight terrorism. Part of that is convincing people -- both Americans and foreigners -- that this data will be protected. When we gut privacy protections because they might inconvenience business, we're telling the world that privacy isn't one of our core concerns.
If the administration doesn't believe that we need to follow its medical data privacy rules, what makes you think they're following the FISA rules?
Posted on June 7, 2005 at 12:15 PM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
With all this flux in privacy and security it is no wonder that we recently were informed that for quite a while convicted sex offenders were getting free viagra.
There is no reason to panic just yet. The criminal statutes remain, and will still serve a deterrent effect to those to write the hospital policies, or those who fail to carry out the policies on behalf of the hospital.
In the case of Mr. Gibson, clearly his actions were not on behalf of the hospital. He can still be charged under other statutes pertaining to fraud and identity theft.
One could argue that it is unfair to apply stricter standards to hospital employees compared to employees of other companies that hold the same or more personal data, such as insurers, banks, brokerages, personal data aggregators, or even dentist offices.
Read Swire's column. He believes that Gibson can be charged under other statues, but that other privacy violations might not be.
And he makes a persuasive argument that the criminal penalties against organizations are irrelevant. It's rare that corporate policy includes stealing patient credit card numbers.
"If the administration doesn't believe that we need to follow its medical data privacy rules, what makes you think they're following the FISA rules?"
A: Not a thing, particularly when they are working to extend the powers of the executive branch to conduct domestic surveillance, while simultaneously attempting to curtail the ability of the judicial branch to review these activities.
The concept of checks (or in audit parlance, "controls") and balances seems to be lost on today's executive branch.
To my mind, this betrays a profoundly pessimistic vision. Even a zealot convinced of his own infallibility should want to limit the potential bad effects of future, fallible, zealots, unless the future is so discounted as to be irrelevant to today's calculations. Such pessimism (or is it myopia?) is cause for concern.
I think it will take a while for the Health care community to realize the importance of enforcing laws to protect patient privacy. Sometimes it takes a disaster for industries to wake up and realize the true nature of a threats. And that is too bad.
Still, Mr. Gibson should also be held accountable for violating HIPAA (on top of the other criminal charges) personally, even if his employer wasn't responsible (ie. that he didn't have access to information that he shouldn't have had; taking into consideration the duties & responsibilities of his position)
And as we're seeing, maybe those other industries that hold substantial amounts of personal data could do with some HIPAA-like legislation as well.
Actually, taking a wait-and-see attitude is perfectly rational. Why should a health care company spend millions protecting privacy if there are no penalties for not? Reguations are regulations, but it's prosecution that makes a difference. And zero prosecutions in 13,000 complaints is a telling fact that health-care companies understand.
Two things I find puzzling. First, how can the Justice Department change statutory law? Second, what's the connection between the possible punishment of the hospital employee and the possible liability of the employer? What difference does it make to the hospital whether its employee can be prosecuted or not?
Regulators are frequently given substantial latitude in deciding how to implement the law. This is one reason that entities subject to actual or potential regulatory oversight like to see "industry participation" in regulatory bodies, and why consumer groups (for example) often like to see citizen participation increased.
I thought Robert M. Gellman put it best, as quoted in the NYT article:
"Under this decision, a tremendous amount of conduct that is clearly wrong will fall outside the criminal penalties of the statute."
Are you still a criminal if you are engaging in criminal behavior but can not be prosecuted?
Ironic that the current Administration aligns with large corporations who want to deregulate the market, yet at the same time calls for far more regulation over individual rights. The Bush stump speakers seem to say bad laws hurt competition, and therefore no laws are good for the market, which precipitates an overall weakening of individual freedoms and protections against government and its industry partners.
"Reguations are regulations, but it's prosecution that makes a difference."
You might find that fair prosecution comes naturally with properly crafted regulation, so there is definitely a balance between the two.
You might find that fair prosecution ( like well crafted regulation ) depends on which side of the fence you are standing.
If Industry X is under regulations which delimit its behavior, no amount of crafting will render these regulations as proper unless the regulations are in the Industry's favor. And any prosecution of adverse regulation will be considered unfair.
Agreed! But prosecution might be turned on its head without fair regulation(s). In fact, even past prosecution may be undone if the the relevant regulation(s) are later found to be unfair. Swire makes a sage point that "there are ways to criminalize clearly bad behavior while reassuring ordinary health care employees that they will not be subject to prosecution. When there is enforcement against the bad actors, then the good persons in every organization have more leverage to insist on doing things right." Sometimes just the fear of (effective) prosecution is what makes regulation work, which I think somehow takes us back to Bruce's log entry about Counterfeiting in the Sudan...
When I read articles like this, I try to keep a level head, but my frustration mounts. What I think we have seen especially markedly since 9/11 are consistent roadblocks in a liberal legal traditions and rollbacks to rule of law. (Note: "liberal" does not mean "left-wing" in this context.) The trend applies to domestic laws as much as international commitments.
In the latest May/June 2005 issue of Foreign Affairs, there is an outstanding article by the famous German historian Fritz Stern with lessons of similar trends in pre-war NAZI Germany.
Unfortunately the entire article is not available online, but it is an excellent and enlightening read, I wish more Americans could read it. Democracy alone does not protect citizens from autocrats; in Egypt and elsewhere there are examples of democratically elected dictators. Singapore and Hong Kong have shown that the respect for rule of law offers more protection, even when democratic credentials are weak. I fear that in the U.S. we are losing even this bedrock of our governance.
So, what's just happened is that responsibility has been dissociated from access. That's delightful.
Can you "gut" that which has no guts? HIPAA applies to specifically defined "covered entities," which include medical providers like hospitals and doctors, payors such as insurers and health plans, and healthcare information clearinghouses. HIPAA does not apply to anyone else. Congress could have drafted the law differently, but didn't. Congress could have said it applied to those entities and their employees, but it didn't.
Congress might pass a law that says all clean-shaven, non-bald redheads of Irish descent have to jump up and down on their left foot 30 times every morning (Scalia would probably find a Commerce Clause justification for it if he looked hard enough). If Bruce Schneier failed to get in 30 left-footed jumps this morning, that wouldn't be a violation of this law, since it doesn't apply to him. I, on the other hand, would be headed for the slammer. When a criminal law says it applies to this group of individuals and entities, it means it applies to that group of individuals and entities. I'm fairly appalled that a law professor who teaches statutory interpretation doesn't get that.
Gibson was not, and is not, a covered entity. HIPAA did not apply to him. HIPAA did apply, and does apply, to Gibson's employer; the DOJ opinion does not change that. The DOJ opinion does not get the industry out of anything; in fact it reduces the number of potential targets by eliminating from the ambit of the law the people who were not included in the ambit to begin with. The big, bad, evil "industry" is not cleared from prosecution by the DOJ opinion.
Gibson's employers had no idea he was doing what he was doing. Should the doctors for whom he worked go to jail because one of their employees stole information from them and use it to steal money from their patients? Gibson can be sent to jail for a lot of other crimes which he actually committed (since they, you know, actually apply to him). But sending him to jail for a HIPAA violation was a pretty big stretch.
There are some people who I highly respect who say that there is federal case law that allows you to prosecute people who are not in the defined group of persons covered by a statute, but there certainly is a lot of people (particularly on the American Health Lawyers Association's Health Information Technology list-serv) who disagree with that. Of course, those of us on this side of the disagreement didn't bang our spoons on our highchair trays when Gibson came down.
Two issues here, one technnical and one social:
To maintain privacy, just omit any personal identifiers. A patient could generate from his record both a private, secret identifier that persists and a number of temporary identifiers that expire after a limited time or number of uses. The server could keep a log of who accesses the record and when.
Intrinsically, consumers face an uphill battle when trying to form a lobby in government strong enough to compete with a producers' lobby. But to take control over our own own health records seems like the sort of grassroots action that, just possibly, may not so strictly depend on regulatory coordination.
I have no particular desire to start a new patient advocacy organization. We should try to draft one. Which existing organization might serve as the hub of such a movement? Public Citizen and AARP each do some advocacy for patients; who else?
On the technical side, a term to know is "Personal Health Record" or "PHR." There are (see myphr.com) existing PHR systems available. But, like any other kind of Electronic Health Record (EHR), PHR's will be useless untill they follow standardized formats and protocols. These standards are still under development.
Apart from communications bandwidth, what are the barriers to patients storing their records on servers outside the control of providers?
Which technologies look most useful?
What are the major barriers to patients organizing?
Is there any organization which would serve as an advocate for patients' privacy? Which ones?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.