Abortion Records, Health Privacy, and De-Identification
By: Robert Gellman
May 10, 2005
This is a reply to Daphne Gilbert’s recent post titled The Power of Privacy to Obscure Equality: Abortion Rights Under Attack. I am not offering a rebuttal because I am either in agreement with her conclusions or at least sympathetic. But I have a somewhat different view of US health privacy law, and I want to comment on an abortion records case that raises some novel anonymity issues.
Part I. Overview of US Health Privacy Law
Until a few years ago, health privacy law in the US was largely a matter of state law, and most state laws were (and still are) a hodgepodge of statutes and rules covering disparate elements of health privacy. Congress started the process of federalizing health privacy law with the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. The law ultimately directed the Department of Health and Human Services to promulgate federal health privacy rules. The health privacy rules, which took effect in 2003, can be found at http://www.hhs.gov/ocr/hipaa/. Stronger state and federal laws continue to remain in force, however.
The federal rules generally establish a common policy for all health records, regardless of content or record keeper. This choice is probably correct policy. While people often perceive differences in the sensitivity of health records, it is difficult to draw clear lines based on content. Records sometimes identified as sensitive include records about AIDS, drug or alcohol abuse, sexually transmitted diseases, and genetic records. State laws often have special protections for these types of records, and it can be challenging to comply with laws when more than one applies to the same record. Consider the difficulty applying five or more different laws to records of a patient who is a drug abuser, has AIDS, has the gene for Huntington’s Disease, and is depressed about it all.
If you work at it long enough, you can find sensitivity everywhere. A dentist told me of a patient whose biggest secret was his dentures. Not even the patient’s wife knew that he had false teeth. Are psychiatric records always sensitive? Not to everyone. Some people talk (endlessly) about their psychiatrists. But I have yet to meet anyone who talks about a visit to a proctologist. Sensitivity is not a clear, consistent, or predictable concept in health. One person will guard a cold as a medical secret while the next loudly describes a cancer diagnosis at a cocktail party.
The only records that receive special treatment under HIPAA are a very narrowly defined category of psychotherapy notes. However, the extra protections are limited. For example, the notes can still be disclosed for law enforcement purposes in response to subpoenas and court orders.
Thus, abortion records receive no special treatment or protection under HIPAA. This means, for example, that the records can be disclosed for numerous purposes, including health care oversight, public health, research, law enforcement, national security, and many other activities. HIPAA provides that nearly all routine disclosures of health records can occur without specific notice to or consent of the data subjects. Indeed, disclosures are allowed in most cases even if a patient expressly objects to the disclosure. In sum, HIPAA allow virtually every disclosure necessary or convenient for the health care system, for law enforcement, and for many other governmental purposes.
If there is a saving grace here, it is that the federal rules do not mandate that covered entities make allowable disclosures. Under the rule, disclosures are permissive. However, many other laws compel disclosure. Some are unobjectionable. Physicians have long been required to report communicable diseases to public health authorities. Child abuse must also be reported. Gunshot wounds are also subject to reporting laws, as are birth defects and some other medical conditions in some states.
We are not done with compelled disclosures. Court orders, grand jury subpoenas, search warrants, and the like may require disclosure of health records. In some cases (e.g., subpoenas), the record keeper or the data subject may have an opportunity to contest the order. However, with a search warrant, the police seize records without any opportunity to object.
We can now draw some conclusions about US health privacy law. First, federal privacy rules apply most to health records, although state laws remain relevant. Second, the HIPAA protections against disclosure are weak. Third, abortion records have no special status under the federal rules.
Part II. US Constitutional Law and Privacy
The Supreme Court’s decision to uphold the right to abortion was based in significant part on the right to privacy. I won’t repeat Daphne Gilbert’s discussion of Roe v. Wade. However, there is more to the constitutional analysis of privacy.
In 1977, the Supreme Court addressed privacy issues in Whalen v. Roe, a case involving a clash between health privacy and the ability of the state to mandate reporting of patient information, see: http://supct.law.cornell.edu/supct/html/historics/USSC_CR_0429_0589_ZC1.html. The case involved a constitutional challenge to a New York State statutory requirement that the names and addresses of all persons who obtained certain prescription drugs be reported to the state and stored in a central computerized databank.
In Whalen, the Court described its own past decisions involving privacy as protecting two kinds of interests. One is an individual interest in avoiding disclosure of personal matters. The other is an interest in independence in making certain kinds of important decisions (e.g., matters relating to marriage, procreation, contraception, family relationships, child rearing, and education). These two prongs of privacy are important for the rest of the discussion here.
Whalen involved an individual’s interest in avoiding disclosure. The Court said that the duty to avoid unwarranted disclosures "arguably has its roots in the Constitution." This statement hints at the existence of a constitutional right of informational privacy, but the Court did not squarely hold that the right exists. The Court observed that disclosures of private health information are often an essential part of modern medical practice. The Court could not conclude that reporting to the state was an impermissible invasion of privacy.
The existence and scope of any constitutional protection for information privacy remains uncertain nearly 30 years after Whalen. Subsequent lower court decisions are split. Some courts found that a constitutional right of information privacy exists and some found that it does not. In any event, Whalen suggests that it does not take much of a state interest to overcome an individual’s interest in non-disclosure.
It is the privacy interest in independence in making personal decisions is directly relevant to the right to abortion and not the interest in non-disclosure. However, the recent abortion records cases arise at the intersection between the two privacy interests identified by the Supreme Court. Does the right to abortion also encompass a corresponding right to privacy for records documenting the abortion? Or does the constitutional right to informational privacy (if any) provide any protection, special or otherwise, to abortion records? Or will the courts see the legislatively mandated rule issued by the Health and Human Services Department as providing an excuse to duck the harder constitutional issues?
If I part company with Daphne Gilbert’s analysis, it is over her discussion of the investigation being conducted by the Kansas Attorney General. That investigation seeks to force abortion clinics to turn over the complete health records of nearly ninety women and girls. The state’s contention is that the material is needed for an investigation into underage sex and illegal late-term abortions. Gilbert concludes that: “It seems obvious that the Kansas investigation constitutes, at the least, a violation of client-doctor privacy.”
Unfortunately, it isn’t clear that there is much left to the notion of client-doctor privacy under information privacy principles. Remember that the plaintiff in Whalen lost with that argument. Now that we have federal health privacy rules, neither the plaintiff in Whalen nor the subject of a Kansas abortion record is in a better position. HIPAA places no substantive barrier to disclosure to the Attorney General. Disclosures for criminal or civil investigations – no matter what the prosecutor’s real motive may be – can be made consistently with the HIPAA rules. Abortion records have no better protection than other records. The traditional physician-patient privilege is also not likely to help at all. The privilege is often so narrow as to be irrelevant, and it is non-existent in some states. I wouldn’t abandon any of these arguments, but I do not have much hope.
If there is a better argument available here, it may arise under the other prong of the Whalen analysis. The interest in independence in making important personal decisions may provide a different basis for arguing that abortion records need protection. It is not some vague patient right of privacy that is at stake but the right to abortion itself. If abortion records become the subject of routine disclosure for law enforcement, national security, health care oversight, public health, research, and other allowable HIPAA purposes, women may be deterred from seeking abortions.
Whether this argument has any chance in court remains to be seen. Like Daphne Gilbert, I would like to make a traditional information privacy argument, but I don’t see that as a sure winner under current law. The best hope for success may arise under the other prong of privacy, which is (for now) clearly rooted in the Constitution.
Part III. An Unlikely Hero: Posner to the Rescue.
One of the first abortion records cases involved litigation over the constitutionality of the federal law prohibiting so-called partial birth abortions. Several courts wrestled with discovery requests for abortion records for procedures done by physicians testifying as expert witnesses that the prohibited technique is medically necessary.
The cases produced hand-wringing newspaper editorials about health privacy, few of which showed understanding of the substantial lack of privacy protections in the federal privacy rules or in most state laws. The real issue in the cases had to do with discovery rules in civil litigation.
In March 2004, the Seventh Circuit Court of Appeals decided one of these cases: Northwestern Memorial Hospital v. Ashcroft. Surprisingly, perhaps, Judge Richard Posner, a noted critic of privacy, wrote the majority pro-privacy opinion. He has written elsewhere that most demand for privacy is motivated by concealment of discreditable information by people who want to project an untrue image. This is a view held by some economists. I don’t buy it because there are many other elements to privacy beyond concealment (e.g., access, correction, notice, data quality, dignity, etc.).
Posner’s opinion addressed the burden of compliance with requests for production of documents, a standard issue in civil discovery. A third party can object to producing documents when the burden would exceed the value of the material to the litigation. Judge Posner used this principle to decide the case by weighing the probative value of the records against the potential privacy loss that would result in a case in which the patient was not a party. Privacy won.
However, it is crucial to understand that the records at stake were not identifiable. The records were to be de-identified before disclosure so that a patient’s identity could not reasonably be ascertained. The federal health privacy rule sets out a stringent de-identification procedure, and the dissent in the case argued with some force that there was no privacy interest left after de-identification. Here are two key paragraphs from Posner’s majority opinion:
Some of these women will be afraid that when their redacted records are made a part of the trial record in New York, persons of their acquaintance, or skillful “Googlers,” sifting the information contained in the medical records concerning each patient’s medical and sex history, will put two and two together, “out” the 45 women, and thereby expose them to threats, humiliation, and obloquy.
Even if there were no possibility that a patient’s identity might be learned from a redacted medical record, there would be an invasion of privacy. Imagine if nude pictures of a woman, uploaded to the Internet without her consent though without identifying her by name, were downloaded in a foreign country by people who will never meet her. She would still feel that her privacy had been invaded. The revelation of the intimate details contained in the record of a late-term abortion may inflict a similar wound. [emphasis provided].
Posner found a privacy interest even if there were no possibility that the patient’s identity could be determined. For someone like Posner who otherwise does not think much about the value of privacy, this is a remarkable conclusion. If applied more broadly, then no microdata of any type might ever be disclosed even if accompanied by a mathematical proof of non-identifiability. Such a holding would have significant consequences for health and other types of social science research, among other things. If we read Posner’s conclusion as relating to the disclosure prong of privacy, it is a significant departure from the existing understanding of privacy as well as an expansion of the notion of privacy. Arguments that wholly de-identified records retain a privacy interest are rare.
However, if we read more between the lines, it is possible to suggest that Posner’s approach derives from the independent decision prong of privacy. The goal is not to protect the privacy of wholly de-identified data, but to protect women seeking abortion from any concern about even the remotest possibility that their information might be released in any form.
When I first read Posner’s opinion, I thought that his notion of privacy for wholly de-identified records broke new ground. However, reading that same idea as a protection for the individual decision prong of privacy, I am much more supportive. In at least some instances, it may make sense to ban disclosure of records whether identifiable or de-identified because we cannot expect that the average person will understand data identifiability distinctions. If there is a reason for concern that disclosure would interfere with individual decisions, then greater protection for health records may be justified. However, providing protection for all types of de-identified data would be considerably more troublesome.
The abortion records cases in the US raise many unexplored issues. The notion of privacy protections for anonymized data is not something that anyone would have predicted as part of any constitutional right to privacy. Posner’s opinion may have opened that door, and it will be interesting to see where it may lead.