INTRODUCTION 2 I. THE EVOLUTION OF THE CONSTITUTIONAL RIGHT TO INFORMATIONAL PRIVACY 6 II. TO PROTECT OR NOT TO PROTECT: THE SECOND CIRCUIT VS. THE THIRD CIRCUIT 11 A. The Second Circuit's Limited Protection Approach 12 1. "Serious" and "Embarrassing" are Ambiguous Terms 13 2. "Serious" and "Embarrassing" are Subject to Evolve 15 3. Jurors and Judges are Not Equipped to Determine the Seriousness of a Condition 15 B. The Third Circuit's More Liberal Approach 16 1. Medical Information is Generally Afforded Greater Protection 17 2. Private and Sensitive are not Synonymous 18 III. MEDICAL PRIVACY GOING FORWARD 19 A. Courts Should Protect All Medical Information 19 1. Courts Should Incentivize Safeguarding Against Inadvertent Information Disclosures Rather than Excuse Them 20 2. Protecting all Medical Information Simplifies the Courts' Balancing Test 23 3. Patients May be Less Forthcoming if They are Unsure Whether Their Information is Protected 23 B. Congress Should Amend the Privacy Act to Permit Recovery for Emotional Distress 24 CONCLUSION 25 INTRODUCTION
Traditionally, an individual's personal records were beyond the government's grasp absent a showing of probable cause. (1) The legal standards that protected them "evolved in a world where such records were almost universally in the actual possession of the individual." (2) However, with today's ever-expanding use of technology (3) and the ease with which highly intimate and sensitive information may be acquired and compiled, (4) that world no longer exists. (5) Instead, the magnitude of information sharing in the digital age has led to private, personal records not feeling very private at all.
In an attempt to safeguard health information, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. (6) Specifically, the HIPAA Privacy Rule prohibits the "inappropriate use and disclosure of [health] information." (7) Notably absent, however, is a private right of action. (8) Thus, an "individual whose information is improperly used or disclosed, according to HIPAA, has no recourse" despite the "irreversible emotional and financial harm" caused by privacy violations. (9) In an attempt to provide a remedy to victims of sensitive data breaches, some state courts have allowed HIPAA to inform the applicable standard of care in negligence cases. (10) other states have enacted legislation to regulate the "privacy, confidentiality, security, use, and disclosure of information." (11)
Despite these preliminary steps, the primary focus has been on private data breaches, leaving breaches in the U.S. public sector without "the attention [they] deserve." (12) Like hospitals, doctors' offices, and pharmacies, the government holds large volumes of sensitive data. (13) Unlike privately held data, however, the government obtains this information through "coercive or unbargained-for" means." (14) Specifically, they obtain it through either: (1) requiring disclosures by law "(e.g. tax returns, the census, law enforcement);" or (2) "in connection with an activity for which there is no realistic alternative source or supplier (e.g. licensing or benefits)." (15) A number of states have employed the former method to require medical facilities to disclose personal health information when it furthers a state interest. (16) For example, Georgia--in response to the current opioid epidemic--passed House Bill 249 in 2017, requiring prescribers to enter patients' prescription information for Schedule II, III, IV, and V controlled substances in a Prescription Drug Monitoring Program (PDMP). (17) The PDMP, which falls under the purview of the Georgia Department of Public Health, gives providers the ability to review patients' history of filled prescriptions over the last two years. (18)
But what if the PDMP gets hacked? Or what if a Department of Public Health employee leaves his work laptop on the bus? The individuals who were prescribed certain controlled substances would have their private data in the public domain. They would "suffer torment, anxiety, and financial and emotional stress wondering if and when this information will be used against them." (19) Hackers may even be able to "open credit cards, take out loans, [or] fraudulently obtain tax returns." (20) Yet, these patients can't sue under HIPAA. Moreover, they likely cannot sue under state law as state and federal governments enjoy sovereign immunity. (21) The government is shielded from liability, unless and until state or federal legislatures abrogate that immunity for state privacy claims. (22) Fortunately for these individuals, however, this immunity does not protect the government from all claims. (23) An individual whose information has been improperly acquired or disseminated by a governmental actor may still look to two sources for agency liability: the Federal Privacy Act (24) or the Constitution. (25) Due to the shortcomings of the Privacy Act and the Supreme Court's "restrict[ion] on the ability of individuals to recover damages for a violation of the Act," (26) this Article primarily focuses on the constitutional right to informational privacy. (27)
While the Constitution does not explicitly provide a right to privacy, (28) a number of Supreme Court decisions have recognized that the right may exist. (29) In an attempt to clarify its scope, the court in Whalen v. Roe declared that there are two types of privacy interests: "security of personal information and autonomy in making important decisions." (30) Although the Supreme Court has confronted decisional privacy many times, (31) the contours of the right to informational privacy continue to elude courts. (32) In fact, the Supreme Court has yet to expressly extend the right to privacy to informational privacy despite confronting the issue twice since Whalen. (33) Despite the Court's restraint to rule on the existence of the right, every circuit court with the exception of the D.C. Circuit (34) has interpreted Whalen as establishing such a right to informational privacy. (35) Although these courts unanimously refuse to extend the right absolutely, each court varies as to what medical information it protects. (36)
The following Article discusses the extent to which the constitutional right to informational privacy protects medical data from improper acquisition or dissemination by state agents. (37) Part I provides background on Whalen v. Roe, the Supreme Court case that has been understood to establish the right to informational privacy. (38) Part I also discusses the variations across the circuit courts as to what medical information is afforded protection by the right. (39) Part II analyzes the well-established approaches adopted by the Second and Third Circuits as they present opposing interpretations of Whalen, one wholly protecting medical information and the other protecting scarcely any. (40) Finally, Part III explains why the Supreme Court and courts that have yet to adopt a uniform approach should follow the Third Circuit and constitutionally protect all medical information from improper government acquisition or dissemination. (41) Part III also argues for an amendment to the Privacy Act to provide individuals whose medical conditions are not afforded protection under the Constitution an alternative remedy. (42)
THE EVOLUTION OF THE CONSTITUTIONAL RIGHT TO INFORMATIONAL PRIVACY
In 1977, the Supreme Court arguably recognized a constitutional right to informational privacy, though it refused to expand its holding beyond the facts of the case. (43) In Whalen v. Roe, the state of New York responded to the concern that drugs were being diverted into unlawful channels by enacting a statute that required doctors to disclose to the state information regarding patients being prescribed certain drugs with a high potential for abuse. (44) These disclosures would include information such as the patient's name, address, and age. (45) In its opinion, the majority delineated two kinds of privacy interests: the "interest in avoiding disclosure of personal matters" and "the interest in independence in making certain kinds of important decisions." (46) The privacy interest dealing with the nondisclosure of medical records falls within the first category. (47) Ultimately, the Court held that the patient-identification requirement in the New York statute was insufficient to "constitute an invasion of any right or liberty protected by the [Constitution]." (48) It reasoned that the requirement was furthering a legitimate state interest and that disclosure of medical information can be "an essential part of modern medical practice even when the disclosure may reflect unfavorably on the character of the patient." (49)
In his concurring opinion, Justice Brennan argued that despite the majority's holding, future technological developments would ultimately require additional restrictions as such developments may vastly increase the potential for abuse of easily accessible computerized information. (50) Forty years and countless technological advances later, (51) the scope of constitutional restrictions on informational privacy remains unclear. (52) Circuit and district courts interpreting Whalen unanimously permit acquisition and disclosure of medical information when the government's interest in propagating the information outweighs the individual's interest in keeping the information private. (53) However, most courts do not even reach this balancing test if they determine the information is not of a constitutionally protected dimension. (54) This conclusion begs the question: what medical information is constitutionally protected?
The Second Circuit extends the constitutional right to privacy to serious, fatal conditions and profound psychiatric conditions that impart on their victims "discrimination and intolerance." (55) In Doe v. City of New York, the court found that individuals infected with HIV "clearly possess a...