Opportunity lost: why and how to improve the HHS-proposed legislation governing law enforcement access to medical records.

AuthorVan Der Goes, Peter H.W.
PositionHealth and Human Services Department


Imagine a "not-too-distant" time when "genetic screening is the norm and the upper strata of society are closed to people who haven't been created through science. In-Valids, they're called...."(1) Genetic science has progressed to the point where every human trait can be engineered, and society now stigmatizes, discriminates against, and even pities those unfortunate enough to be conceived the old-fashioned way. In this world, those who are the product of "faith birth[s]" must lie and deceive to gain access to those areas they desire.(2) Thus, for an "In-Valid" to pursue the dream of becoming, say, an astronaut, "he must be genetically perfect, and since true identity can be established instantly by examination of just one cell, any cell, from his body, the deception involved in becoming the person he wants to be is fascinatingly elaborate and difficult."(3)

As a chilling corollary, the institutions and organizations that regulate and order our society--corporations, governments, and law enforcement agencies--have access to the information contained in individuals' genes via their medical histories and records. In this vision of the future, corresponding technological advances in information storage, retrieval, and access have accompanied the advances in genetic technology. Thus, the forensic capabilities of the police to investigate crimes such as murder, and the totality of their access to the private medical and genetic records of citizens, reminds one of the bleak and grotesque futures envisioned by Huxley and Orwell.(4)

Of course, many people would recognize the world just described as a fantasy, created by writer/director Andrew Niccol in his 1997 science-fiction thriller Gattaca.(5) Similarly, few Americans would take seriously the notion that government authorities collect genetic samples from almost all of us, keeping and cataloging these samples indefinitely. This, however, is a reality: hospitals take blood samples from virtually every newborn in the United States and store a bloodspot on a card.(6) These samples, known as "Guthrie spots,"(7) remain stable for many years and can reveal genetic data indefinitely when properly preserved. In 1994, three-quarters of the states stored Guthrie-spot cards, and at least four intended to do so indefinitely.(8) Combine this with the push to create a single national health information database using individual identifiers,(9) and the world Niccol envisions in Gattaca may be a fantasy only with respect to the genetic engineering. Indeed, the level of governmental information access and control Niccol describes is well within our government's vision and grasp.

Not surprisingly, Americans expect and assume that medical records privacy is a primary and well-defended right in our society. For example, numerous studies confirm that we consider medical records privacy extremely important,(10) that we expect vigilance with respect to medical professionals protecting this privacy,(11) and that we are concerned that changes in information technology threaten this privacy.(12) Undoubtedly, the rapid and fundamental changes in technology, information systems, and the health care industry have created an environment in which medical records are more accessible, and more frequently accessed, than anyone imagined even ten years ago.(13) Because of this evolution, a broad coalition of privacy advocates, citizens' groups, and legal scholars have called for the federal government to replace the inconsistent and incomplete patchwork of state and federal laws protecting the medical records privacy rights of citizens with a single, strong federal law.(14)

The efforts of that coalition came to fruition in the fall of 1997, when, in response to HIPAA, passed on August 21, 1996,(15) HHS issued a report laying out its recommendations for a federal law.(16) Despite some special-interest criticisms,(17) many felt that the report, entitled Confidentiality of Individually-Identifiable Health Information ("HHS Report" or "the Report"),(18) reflected a legitimate interpretation and representation of the best aspects of constitutional and judicial protections of medical records privacy in the computer age.(19) There was one area, however, where HHS appeared to shrink from its strong position of privacy protections: the general exception for law enforcement access to medical records(20) was left unmodified and unregulated,(21) despite compelling reasons for imposition of federal guidelines in this sphere.(22)

This Comment argues for increased federal protections against law enforcement intrusion into personal medical records under the set of law enforcement exceptions to the general legal principles establishing medical records privacy. Although it is important to recognize that law enforcement authorities, like other information users, often have legitimate reasons for accessing such personal information, there are strong legal and societal rationales for drafting clear federal-level protections against unwarranted intrusions by law enforcement personnel. Profound changes in medical and information technology have driven our reevaluation of privacy protections with regard to other non-law-enforcement users of personal medical information.(23) Similarly, we should reexamine law enforcement access to such information in light of these dramatic changes.

A critical examination of the proposed law enforcement exception first requires an understanding of the technological and legal context of the HHS Report. As a result, Part I of this Comment outlines the changes in medicine and medical record keeping that gave rise to HIPAA and the HHS Report. This Part contains a brief overview of the Act and resulting Report. It also discusses the manner in which these proposed rules recognize the changing realities of medical and information technology, and contrasts the general thrust of the Report with the policy behind the proposed law enforcement exception.

Part II then reviews the legal foundations for the current law enforcement exception standard. This Part demonstrates that legal principles exist that support strong limitations on law enforcement's access to personal medical records. Part II also surveys the impediments to such limitations reflected in the constitutional context, federal statutory framework, and state-level legal structures. The shortcomings and inconsistencies of this patchwork of legal protections against unwarranted access to medical records by law enforcement personnel, it is argued, cuts in favor of establishing stronger, more uniform limitations at the federal level.

Part III explores this federal uniformity argument and others. In general, Part III develops the major legal and policy arguments for revisiting the HHS Report's position on law enforcement access to medical records. These arguments incorporate a review of the moral and social benefits achieved in creating a clear federal standard. They also recognize a host of related issues, including the demands of technological change, the need for greater protection of acknowledged constitutional rights, and the need to reevaluate other legal frameworks. Additionally, this Part considers the potential problems in administering the Report's proposed penalties-based approach.

Part IV offers some suggestions on how the proposed law enforcement exception could be modified to address the arguments discussed in Part III while still accommodating law enforcement information needs. This Part recognizes and evaluates commentators' suggestions for strengthening HHS's proposed law, and develops a general and straightforward set of recommendations that, if adopted, would create a legal framework that embraces a more vigorous set of privacy protections without undue harm to law enforcement's ability to achieve its aims. This framework acknowledges the limitations of individuals' privacy rights with respect to their medical records. In the face of these limits, however, it offers substantially sufficient protections in the increasingly complex world of medical and information technology, and law enforcement's increasingly invasive use of this information.


    When Congress included medical records privacy language in HIPAA, it was not only recognizing the sweeping changes that took place in medical records information management and utilization, but was also attempting to address the impact that future industry changes would have on individuals' privacy. This Part provides a limited introduction to the nature and scope of the changes in health care information technology and records management and how these changes have been driven by larger influences in health care delivery. It also introduces the legislation at issue, HIPAA, and the resulting HHS Report, discussing the structure and principles that seem to guide the Report's legislative suggestions, while focusing in particular on the law enforcement exception.

    1. The Health Care Industry, Technology, and the Falling Away of Medical Records Privacy

      Three factors have driven the evolution in the use of medical records and health information technology: (1) changes in information technology; (2) increasing demands for medical research and the need for research data; and (3) the for-profit shift in health care delivery.(24) These changes have driven unforeseen shifts in the collection, use, and dissemination of personal data through the health care system.(25) The extent and fundamental nature of these changes is difficult to overemphasize.

      1. The Rise of Information Technology and Its Effect on Medical Records Privacy

        As noted above, the American public is concerned about the potential loss of privacy that could result from the increasingly complex and ambitious scope of medical record information systems.(26) When looking at the changes in how the health care industry uses technology to collect...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT