HIPAA, Coronavirus, and The Limits of Privacy

By:
On:
In: Headline, Law
unsplash-logoCDC

At what point does the public's need for information outweigh the individual's right to privacy?

Yesterday, President Trump declared that the COVID-19 (also known as the coronavirus) was a national emergency. The declaration will bestow Trump with a vast amount of authority, as enumerated in the National Emergencies Act of 1976, which the executive branch can use to combat the virus. The declaration also granted additional powers to the Secretary of Health and Human Services, Alex Azar, to waive certain federal healthcare regulations. 

Azar has now been given the authority to waive federal rules, including rules restricting the intake of patients to hospitals and nursing homes; limiting the locations within a hospital where patients are permitted to be treated; and state licensing requirements that would prevent doctors from other states from treating patients. It was not immediately clear if the list that President Trump provided was exhaustive. 

Meanwhile, Governor Andrew Cuomo has already declared a state of emergency in New York, and instituted a one mile “containment zone” in the city of New Rochelle, located in Westchester County. New Rochelle has become the epicenter of the U.S. coronavirus outbreak. The National Guard has been dispatched to the area, to deliver supplies to the residents.

On Wednesday, March 10, there were 121 confirmed cases of coronavirus in Westchester County. On Thursday, New York City Mayor Bill de Blasio declared a state of emergency in New York City. By Friday, Westchester had 158 confirmed cases, followed closely by New York City, at 154, with 421 confirmed cases statewide.

So what do these national, state, and city emergencies mean for the privacy of individuals who may have contracted COVID-19? So far, these individuals have had their privacy rights respected. But will that continue?

Despite these strong government responses, information is scarce, and the general public remains largely in the dark. 

Just how deadly this disease will be is unclear, as the exact death rate is still unknown, although the current World Health Organization (“WHO”) estimate places it at 3.4%. The reason for the uncertainty surrounding the death rate is due, at least partially, to the fact that the disease is spreading faster that governments have been able to test for it, which, in turn, is because of a shortage of available tests. As a result, the number of known cases may not accurately reflect the infected population as a whole, and may contain a disproportionate amount of those who have a severe case of the illness (approximately 80% of cases are not severe). The shortage of information related to the number and severity of infections, then, cannot be easily rectified in the short term.

While some information is restricted because of constraints in global healthcare infrastructure, some information is being restricted by governments and healthcare entities because of privacy concerns.

In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was designed to promote the flow of healthcare information between covered healthcare entities, while minimizing the risk that patients’ confidential health information would fall into the wrong hands. In essence, HIPAA was created, first and foremost, to increase Healthcare efficiency. See, Peter Swire & DebRae Kennedy-Mayo, U.S. Private-Sector Privacy (2nd ed. 2018). 

It should be noted that HIPAA only applies to the following types of entities: (1) Health plans (health insurers); (2) Healthcare clearinghouses; and (3) healthcare providers that conduct transactions in electronic form. Id.; see also, cms.gov guidelines. This means that HIPAA does not apply to doctors who deal solely in cash transactions (which is not to say that those doctors would not be otherwise bound by doctor/patient confidentiality).

For covered entities, though, HIPAA created broad rules prohibiting the release of personally identifiable information without the authorization of the patient. Under HIPAA’s privacy rule, for instance, doctors must anonymize a patient’s data before using it in medical research. The process of anonymizing (called “de-identification” in the HIPAA lexicon) requires the removal of certain types of information that could be used to identify an individual, like a person’s name and address or date of birth.

But in the midst of a global pandemic, with the potential to kill 3% of all those infected, does a patient’s right to remain anonymous supersede the public’s need to know who has been exposed?

The outbreak in Westchester began when a single attorney, who had unknowingly come down with the virus, attended a large bar mitzvah. The attorney was eventually brought to New York Presbyterian/Columbia Medical Center in “serious condition”. It then spread between the members of a local synagogue, called Young Israel of New Rochelle. In short time, some 1,000 congregants of the Young Israel were quarantined. 

Shortly after the attorney was hospitalized, his wife, Adina Lewis Garbuz, wrote a public Facecbook post, revealing the man’s identity. Her decision to write the letter should be applauded. By revealing their identities, the Garbuz’s placed each person who had been in contact with them on notice that they may have been infected. This allows individuals to take appropriate steps to limit further exposure, such as by by self-isolating. 

Unfortunately, the Garbuz’s seem to be in the minority of individuals who have tested positive for the virus and who have chosen to waive their anonymity. Most of the named individuals have been public figures, such as actor Tom Hanks or athletes Rudy Gobert and Donovan Mitchell.

Gobert, though can now attest to some of the less desirable consequences of having your private health information made public. Shortly before Gobert’s diagnosis, he had touched several reporters’ microphones, in an apparent display of mocking disregard for coronavirus concerns. Now that he has tested positive for coronavirus, he has drawn the ire of fans and teammates alike. 

Comment from discussion [Charania] Utah Jazz All-Star Rudy Gobert has tested positive for coronavirus, sources tell @TheAthleticNBA @Stadium. Sources say Gobert is feeling good, strong and stable — and was feeling strong enough to play tonight..

In the social media era, it has become increasingly clear how quickly public attention can turn to scrutiny and harassment. And, in a small sample size, coronavirus does not seem to be making the world more reasonable or empathetic. When fear and uncertainty teeters towards paranoia and accusation, people tend to abandon the better versions of themselves. HIPAA provides a layer of protection for infected individuals who might otherwise be irrationally scapegoated or ostracized.

It is understandable, then, that some people might not want to make their diagnoses public. After her public Facebook post, Mrs. Lewis Garbuz expressed concern that her family’s role in the coronavirus outbreak would be their legacy. That her and her husband may have worked hard their whole lives, only to be remembered for something that was entirely out of their control, is tragic. Who wants to be the face of pandemic?

But what if the  pandemic can be mitigated by the dissemination of information about who has been exposed?

Like with most laws, there are, of course, exceptions to HIPAA’s privacy protections. HIPAA permits healthcare entities to release protected health information (referred to as “PHI”) to public health authorities (i.e. the government) if it is to prevent or control the spread of disease.  This exception, does not permit covered entities to disclose a person’s PHI to the general public. Not even if the state government declares a state of emergency. In order for covered healthcare entities to release the protected information of patients, during a public health crisis, the Secretary of Health and Human Services must waive the applicable provisions of the HIPAA privacy rule.

If this privacy rule had been waived earlier, would we now have a better handle on the outbreak?

Perhaps now that President Trump has declared a national emergency, HSS Secretary Azar will decide to waive the HIPAA privacy rule. It is not clear, though, that he should. It seems entirely possible that, if the  HIPAA privacy rule was waived for the purpose of providing more information to the public, it would actually have the opposite effect. Many people who might otherwise have willingly submitted to being tested might be discouraged from seeking medical help if they think that their private information will be plastered all over the internet. This would only exacerbate problems facing the attempts to gather accurate statistics. Furthermore, one would expect that large swaths of the country would not take kindly to the government disregarding individual privacy rights. 

And yet, there is a sense that the privacy rule is already being selectively waived – that there is something of an unwritten “VIP Exception” to HIPAA. When a well-connected individual who attended the conservative convention, CPAC, tested positive for coronavirus, important individuals (including politicians like Ted Cruz, Matt Gaetz and Paul Gosar) were notified, while rank-and-file attendees who also had contact with the individual were not notified. It should not be assumed that the attendee’s healthcare provider violated HIPAA by selectively notifying important people, though. The most likely explanation for why some were notified and others weren’t is that the infected person reached out to people he/she knew, and told them that he/she tested positive. But why should the decision about who gets notified be determined based solely on who you know?

Conservative blogger Brandon Darby took to twitter to express his dismay with the apparent double standard, saying, “if you’re not rich and important, you don’t get to know if you were exposed…”. In a post on richochet.com, titled ‘Privacy in the Age of Coronavirus’, conservative commentator Bethany Mandel echoed Darby’s concerns, and questioned the ethics of of not revealing the individual’s identity

As a lawyer who practices in Westchester, I had something of a similar experience this past week. A few days ago, it was reported that another lawyer, who had tested positive for coronavirus, visited Westchester County Supreme Court building, in White Plains, and had done so several times within the last week. As someone who had also just been to the courthouse the prior day, it hit pretty close to home. Immediately I began wondering if I had interacted with this mystery lawyer. I then learned that the attorney had appeared only in family court and in a matrimonial action, located on the 10th floor of the courthouse. I had not been to either of those locations, so I breathed a sigh of relief.

Still, I’m sure many attorneys were left wondering if they might have crossed paths with the individual, maybe shared an elevator with the lawyer. No personally identifying information was provided. No description of the attorney’s physical appearance was given. And maybe that’s the way it should be. A few weeks ago it would have gone without saying that the attorney’s name should remain unspoken. Even now, I  think that we should err on the side of personal privacy. But suddenly, in the midst of a global pandemic, that’s no longer obvious.

Fear, now, seems to be playing a central role in our decision making. This is evident from the  run on grocery stores, now depleted of toilet paper, as if Trader Joe’s was Chase Manhattan Bank, in 1929. There are shades of 9/11, too, in the confused panic gripping some of the populace. Back then, nearly twenty years ago, we were quick to trade our liberties for the feeling of safety. As a result we got the Patriot Act and PRISM, the NSA’s warrantless spying program. This time around, whatever treatment we settle on for this disease, we should be wary of the side-effects.