When exploring medical privacy issues, it's very useful to have an overview of the laws that affect control and privacy of medical information. We encourage you to read our legal overview.
The government has many options for obtaining your medical records on the grounds of national security. And if your medical records are swept up in a national security investigation, you likely won't be asked to consent and potentially won't ever know your medical records were accessed.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that went into effect in 2003 included a national security exception that permits doctors, hospitals, and any other "covered entity" to disclose individual health information "to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act."1 This exception overrides the normal requirement that your authorization is needed before your medical information can be disclosed for anything other than your treatment, bill payment, or your health care provider’s business operations.2
This national security exception appears to allow covered entities to disclose health records, at their own discretion, to any federal agency that plays a role in intelligence, counter-intelligence, and national security activities. This includes but isn't limited to the CIA, the FBI, and the NSA.
For example, a hospital could disclose any or all of the patient medical records in its possession to the NSA on the hospital’s own initiative, and could even allow the NSA or other federal agencies to access the hospital’s health record system on a permanent, ongoing basis. This could be done without a court order, without any procedural or substantive protections or barriers, and even without any request from the agency.
The second part of this exception allows medical records disclosures as part of "protective services to the President" and a long list of others entitled to Secret Service protection, including visiting foreign heads of state and distinguished foreign visitors.
National security disclosures are permissive rather than mandatory under HIPAA (your doctor can say no), but the language—particularly of the disclosures to agencies—is amazingly broad.
The HIPAA-mandated notice of privacy practices (NPP) you receive when you first register as a patient (and also receive annually from your health insurer) includes some statement about the national security exception. There is no standard language for this notice, but the following is typical:
We may disclose your health information to authorized federal officials who are conducting national security and intelligence activities, for military purposes, or to provide protective services to the President or other important officials.
What legitimate uses would a national security or intelligence agency have for your medical records? One possibility might be to conduct bio-terrorism surveillance, for example, to investigate a rash of deaths caused by anthrax or ricin. This is different from syndromic surveillance of disease outbreaks, which fall under the public health exception. Also, data reported for public health purposes get some regulatory protection: either state laws, which vary enormously in their treatment of public health information, or the federal Common Rule, which protects research subjects if the purpose of using the information is to conduct research. The same protections do not apply to medical records disclosed under a national security exception.
The only protection that health data requested for national security or intelligence purposes appears to have is that covered entities could deny a HIPAA-based request, although that seems unlikely. On the other hand, there is no automatic secrecy provision (or gag order) attached to this type of disclosure, which means providers can tell you when your records are disclosed under this exception. Intelligence agencies might be unwilling to accept the risk of a patient learning that her records had been sought under a national security exception, and so might prefer to use a different authority to get the information they are seeking—such as Section 215 of the Patriot Act.
The Patriot Act and Medical Records
Section 215 of the Patriot Act gives high-ranking FBI officials (the Director, Deputy Director, or Executive Assistant Director for National Security) the authority to obtain foreign intelligence information using a court order to compel production of medical records. This provision is largely redundant because the FBI probably already had permissive access to medical records under HIPAA’s national security exemption, but the powers granted under Section 215 are broader and more secretive.
Unlike the HIPAA exemption, however, a Section 215 disclosure is mandatory or compelled.
This gives an agency like the FBI that can use both sets of rules—HIPAA and the Patriot Act—alternatives. It can ask a HIPAA-covered entity for medical records, which can be turned over without a patient’s authorization under the national security exemption. Or, the FBI can apply to the Foreign Intelligence Surveillance Court, the secret court created by the Foreign Intelligence Surveillance Act, to compel production "of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution."
Can you find out if your medical records have been disclosed under a HIPAA exemption or the Patriot Act? Theoretically, you could under HIPAA, which entitles patients to an "accounting of disclosures"; that is, the right to know to whom their medical information has been disclosed for up to six years prior to a request, for reasons other than treatment, payment, or routine business operations.3 Since national security disclosures are not expressly omitted from the list, covered entities should as a matter of law have to account for them if a patient asks. In contrast, the Patriot Act expressly bans anyone ordered to hand over "tangible things"—like records—from telling anyone who isn’t necessary to producing the "tangible things."4 This means a patient may never know if her medical information is sought using the Patriot Act, even if she does request and receive an accounting of disclosures.
Since more privacy-protective state laws will take precedence over the HIPAA regulations—as California’s breach notification requirements did before HIPAA caught up—it’s intriguing to speculate what would happen if a state health information privacy law expressly negated HIPAA’s national security exemption. Doing so might make the use of Section 215 to access medical records more routine, but the current HIPAA national security exemption involves absolutely no judicial oversight—a serious problem given the exemption's tremendous scope.5
As the law stands now, the federal government has multiple avenues for accessing medical records by citing national security considerations, and gag provisions in the Patriot Act make it difficult to know how this power is being used.
- 1. 45 C.F.R. § 164.512(k)(2)
- 2. But note that HIPAA has 12 permitted uses and disclosures of PHI that don’t require your authorization.
- 3. The "accounting for disclosures" rule that was to be updated under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) is not yet final, but would cover electronic disclosures going back three years before a request, including disclosures for treatment, payment, and routine business operations. See "HHS Releases Request for Information for Accounting of Disclosures Rulemaking."
- 4. See 50 U.S.C. § 1861(d); aka, the "gag order."
- 5. This discussion ignores the special case of health records relating to treatment in federally funded substance abuse facilities and programs under 42 U.S.C. § 290dd-2 and its “Part 2” regulations. It's unclear whether Section 215 overrides the stricter Part 2 privacy provisions.