A newly released paper by four academic researchers comparing electronic health record adoption in the United States and European Union concludes that concerns over privacy of health record data remain the key obstacle to broader EHR use in the United States. The paper, “Privacy and Security in the Implementation of Health Information Technology (Electronic Health Records): U.S. and EU Compared,” co-authored by Wade Chumney of Georgia Tech, Janine Hiller and Matt McMullen of Virginia Tech, and David Baumer of North Carolina State, assesses the legal privacy protections in place for health information in both the US and EU, and attribute the much greater penetration of EHRs in many European countries (such as Holland, where nearly all residents have EHRs) to the stronger privacy regulations. Specifically, the researchers point to a notable lack of public support for health IT such as EHRs in the United States, and key differences in legal and policy approaches to data privacy in the US and EU, where the American stance is seen as more reactive compared to the EU’s proactive approach. The recommendations in the report include suggestions that US health data privacy laws be strengthened (beyond the impact of HITECH on HIPAA) in areas such as giving a private right of action to individuals who suffer from violations of privacy laws, implying that affording redress rights to individuals would help overcome privacy-driven reluctance about using EHRs. It remains to be seen whether the Department of Health and Human Services’ Office for Civil Rights, has the resources and resolution to follow through on its stated intentions to more vigorously and proactively enforce federal health data privacy and security regulations, and if so, what impact stronger enforcement might have on public perceptions about data privacy in healthcare.
While it’s hard to argue against implementing better protections for health data and stronger enforcement of current privacy laws, greater efforts are also needed to educate consumers (and healthcare providers) about health IT and its capabilities. In a blog post published on Tuesday, MEDecision’s Eric Demers warns that excessive fears about health information privacy threaten to needlessly slow EHR adoption, a situation that could be avoided with a combination of better enforcement of existing legal safeguards like those under HIPAA overseen by HHS’ Office for Civil Rights, and with broader education of consumers about the strength and effectiveness of existing EHR security. When available security mechanisms are actually implemented and configured correctly, it is probably true that the risk of loss of confidentiality or integrity for electronic health record data is commensurate with online retail or banking, as Demers suggests. But if a consumer’s data is stolen in those domains, there is typically very little loss incurred (with the obvious exception of cases where the stolen data enables identity theft), because laws and business practices in e-commerce and banking mean that the businesses shoulder all the financial burden, so the customer is rarely if ever hurt out of pocket. This is not the case for health data, or more importantly perhaps it is not perceived to be the case, as people seem to take think the loss or theft of their medical record data is much more dire than losing some personal financial information. Also, the personal data associated with retail and banking transactions is not nearly as sensitive (to most people) as their health data is — it’s trivially easy to change an account number, get a new credit card, or restore stolen funds. What this may mean is that EHR vendors and health care users of health IT may need to convince people that health data privacy and security protections are more robust or provide better protection than controls in situations with which they are already familiar.
The previous post looked at some of the variable and as yet unresolved factors that may help determine how and under what circumstances GPS location data may be used for investigations by law enforcement personnel, with or without a warrant. As should be abundantly clear to anyone reviewing the recent and often conflicting or inconsistent judicial rulings on the collection and use of location data (GPS-based or otherwise), privacy expectations and the corresponding applicability of the 4th Amendment or any of the variety of statutory regulations relevant to such data may depend on the specifics of a given situation. One way to think through these scenarios is to consider key characteristics that incorporate (or exclude) current regulations or legal precedents, by asking questions such as the following.
Is the collection and use of GPS data a search?
The accepted legal standard for determining the applicability of the 4th Amendment protections against unreasonable search and seizure was established in a concurring opinion by Justice Harlan in United States v. Katz. Under this standard courts can determine whether an asserted expectation of privacy is reasonable by considering both the extent to which the individual’s exhibits an expectation of privacy, and whether society recognizes this expectation of privacy as reasonable. In many formulations this two-part test addresses both subjective (the individual’s) and objective (society’s) expectations, and unless there is agreement between the two, no reasonable expectation of privacy can be said to exist. When considering GPS data in particular and location-related information about an individual in general, there is still some debate as to whether an individual’s assertion of privacy regarding their own movements is reasonable. In the recent 3rd Circuit finding that rejected a magistrate judge’s refusal to approve a government request for cell site location information, the court decided (contrary to the magistrate judge’s finding) that the location of cell towers to which an individual’s cell phone connects could be considered to be a part of the wireless service provider’s record, and was therefore information that cell phone users willingly disclose to third parties (wireless providers) and hence could not be considered private information.
What sort of GPS device is in use?
There are two contexts in which the nature of the GPS device becomes relevant. Most important is whether the GPS device can be used to track the location of an individual, rather than an object (such as a car or container), but a related consideration is whether the device itself can be considered to be a tracking device. While it may seem obvious that the use of GPS would be consistent with the use of a tracking device, there are plenty of GPS receivers on the market that do not communicate the user’s location beyond displaying it on the device’s screen. In contrast, GPS location capabilities associated with cellular phone handsets or, for example, auto industry services such as LoJack or OnStar operate in such a way that they first receive geographic positioning information for a given location, then communicate that location data either to the service provider or directly to law enforcement personnel. The reason the distinction is important is because there are existing legal restrictions on gathering data from tracking devices — most generally, rule 41 of the Federal Code of Criminal Procedure requires a showing of probable cause in order to issue a warrant so that a tracking device can be used. The Supreme Court’s ruling in United States v. Knotts was a departure from this procedural standard, but one which the court justified because the placement of the GPS tracking device and the movement that was tracked occurred in public settings. For law enforcement personnel to gain access to GPS location information about a cell phone, without obtaining a warrant, presumably the location data being sought could only correspond to public locations — that is, places where visual surveillance would be feasible.
Who is collecting the GPS data?
The discussion about who is on the receiving end of the data as it is gathered boils down to whether the data being sought (typically by the government, with or without a court order) will be transmitted directly to government agents such as law enforcement personnel, or whether the data is already collected by a third party, typically in the course of routine business operations. Generally speaking, current attention is focused on “electronic communication service” providers (there is a specific legal definition for that term established by the Electronic Communications Privacy Act), who are the explicit subject of the Stored Communications Act (Title II of ECPA). The legal history is longer and a bit harder to navigate than ECPA alone, as ECPA served to amend the Ominibus Crime Control and Safe Streets Act of 1968, and the statutory provisions such as §2703 codified in Title 18 of the U.S. Code were further modified in 1994 by the Communications Assistance for Law Enforcement Act (CALEA). The general intent of these provisions is to provide legal assistance for law enforcement investigations in the form of communications records held by service providers. The net result where location data is concerned (if in fact location data is considered to be part of service provider records) is that it is generally more straightforward — in the sense that they need to satisfy less stringent legal requirements — for law enforcement personnel to get data in records maintained by service providers than it is for them to act as the primary collector of the data.
In what locations is the individual when GPS data is collected?
Supreme Court precedents focus specifically on whether location data can be used to pinpoint individuals within their homes, as gathering data related to just about any type of communications within the confines of a private residence ordinarily requires a warrant. In United States V. Karo the Court held that the use of a tracking device (a beeper of the same sort used in the scenario involved in Knotts) to determine the presence of the device (in this case, placed inside a chemical drum) inside a residence was an unreasonable search and therefore required a warrant. With somewhat similar reasoning, in Kyllo v. United States the Court ruled that the use of a thermal imaging device that allowed law enforcement personnel to gather information (in this case, temperature) inside the home violated the occupants’ reasonable expecation of privacy. There has been some technical debate as to just how accurate GPS tracking data (and, for that matter, cell site location information when triangulation is used) is in terms of pinpointing the location of an individual, as well as the effectiveness of GPS tracking when the device in question is indoors. Technical questions aside, it seems logical based on past legal precedent that using cellphone-based GPS data to track individuals is likely to require a warrant if the historical or future monitoring timespan will include periods when the subject will be in their home.
What type of data is being sought?
There is an important legal distinction between the contents of communication and the data in the records about the communication. Where contents are sought, the legal requirement is clear that a warrant is needed, whether for historical or prospective communications. In contrast, various laws and legal interpretations have held not only that record data about communications should be considered separately from the contents, but in many cases that individuals can have no reasonable expectation of privacy about the information contained in such records, because they willingly share that information with service providers or other third parties who enable the communications to take place. Examples often cited for telecommunications services include the originating and terminating telephone numbers at either end of a call (wired or wireless), or sender and receiver of a text message or email. The privacy analogue is postal mail, where the destination address (and by convention if not requirement the sender’s return address) on an envelope are disclosed to the postal service in order to enable successful delivery of the mail, but the contents inside the envelope remain private, even from the postal service personnel to whom they are entrusted. Where GPS location data is concerned, it’s not that anyone has argued that location data is communication contents and therefore should remain private, but neither is there agreement that location data is unarguably among the information that the service provider needs, especially given that providers do not only use location data in order to enable communication transmissions, but store historical location data over time. It might be interesting to see the response to an argument that concedes that cell site location information is necessary for routine telecommunications operations, but challenges the relevant or need for GPS data collection in addition to cell site data.
What period of time does the GPS data cover?
The D.C. Circuit in its Maynard ruling is the only court so far that has drawn a distinction between short-term and long-term GPS tracking. The investigation in question in that case relied on first placing a GPS tracking device on the suspect’s vehicle and they following his movements over four weeks to establish patterns indicative of his participation in drug trafficking. Given the appellate court’s ruling, it seems likely that law enforcement personnel would be wise to seek a warrant before engage in prolonged monitoring or tracking using a GPS device. It is not at all clear that the government could succeed at all in a §2703(d) application to a magistrate judge or other authority seeking historical GPS information — such as from a wireless service provider — but if the request sought data covering more than a very short period of time, the precedent set by the D.C. Circuit would strongly suggest that a warrant is needed.
The 4th Amendment implications of location-based data have been a topic of active discussion, prompted in part by two recent federal Circuit Court rulings, and to a lesser degree by some outspoken opinions made both in concurrence and dissent to these and other court rulings, and a number of legal interpretations offered by law professors (including some who filed briefs in the cases in question) and other analysts about the most appropriate interpretation of the text of the 4th Amendment itself. These opinions add to ongoing discussions of several laws addressing law enforcement and government behavior with respect to 4th Amendment searches and seizures, and analyses of both legislative intent and judicial reasoning when trying to apply these constraints to relatively recent technologies like GPS that weren’t considered when the laws or legal precedents were established. The divergence of several federal Circuit Courts on matters central to this debate raises the likelihood that the Supreme Court will need to weigh in on the issues, although it is entirely possible that a case that makes it to that level will involve cell phone tower location information or other data collected in the course of modern provision of telecommunications services, and not GPS data per se.
In August, the D.C. Circuit reversed the conviction of an alleged drug trafficker on the grounds that the installation and monitoring of a GPS tracking device — placed on the man’s vehicle without a warrant — over a continuous four-week period constituted a search and violated the suspect’s reasonable expectation of privacy. This ruling ran counter to opinions from multiple other federal courts involving investigatory vehicle tracking without a warrant, all of which rely on the Supreme Court’s ruling in United States v. Knotts, which said that using a tracking device to monitor travel on public roads is no different than visual surveillance and therefore did not require a warrant. While this D.C. Circuit case is notable primarily for its departure from the Knotts precedent, the facts of the case place the issues the court addressed within some narrowly defined situational boundaries that leave many key 4th Amendment questions unanswered. Specifically, the GPS device used in the investigation was affixed to the bumper of the defendant’s car, and transmitted location data directly to law enforcement personnel. This meant that the GPS location data did not extend inside any buildings or particular locations (especially the defendant’s home), and there was absolutely no question (as there is in analogous investigations involving location data from cellular telephones) as to whether the GPS device in question should be considered a tracking device.
In a case with somewhat different facts but which raises many of the same key issues, the 3rd Circuit filed a ruling last week regarding an ex parte application by the government seeking to obtain cell site location data about a cell phone subscriber from the subscriber’s wireless service provider. The government in this instance sought access to historical cellular phone location information from the service provider under the terms of the Stored Communications Act (specifically, 18 U.S.C. §2703(d)), a legal standard which enables investigators to compel disclosure of subscriber records without obtaining a warrant. The magistrate judge who considered the government’s original request denied the request, but upon appeal the 3rd Circuit vacated the magistrate judge’s decision and remanded the government’s application for reconsideration by the magistrate court, with instructions to follow the opinions expressed in the Circuit panel’s ruling, which in essence rejected the original reasoning used by the magistrate judge to deny the government’s application. Among the questions considered in this appeal were whether the use of cell tower location information should equate to the cellular telephone being categorized as a tracking device, and whether wireless subscribers can have a reasonable expectation of privacy with respect to such location information. In direct contrast to Maynard, in this case there was no GPS data involved (although the government gives every indication that it believes it could seek GPS location data in the same manner) and the location data was collected by the service provider in the course of normal operations, not by the investigators. Consistent between the two cases are that the data in question covers an extended period of time, and at least according to the government’s contention (technical accuracy of the claim notwithstanding), the specificity of the location data is not such that it would unquestionably extend within the confines of a subscriber’s home.
Looking at several former and recent federal court rulings in the aggregate, whether or not GPS location information can be acquired and used by law enforcement depends on several factors. To determine whether getting access to GPS data about an individual without a warrant is constitutional, you have to consider several key questions:
Only the Maynard ruling (so far) has directly addressed the use of GPS tracking devices, and in that case the device was physically placed on a vehicle. A more interesting question would be how the laws and court precedents are interpreted when the government seeks GPS data transmitted by cellular telephones. In such a hypothetical instance it’s hard to imagine a credible argument against considering a cellular phone to be a tracking device (the 3rd Circuit accepted the government’s argument in this regard when cell site location data was involved), so it would seem that §2703(d) requests could not be used. However, in the Justice Department’s own guidelines on obtaining electronic evidence for investigations, it lists GPS data among the many “record” contents that it advises its personnel may be sought using applications under §2703(d). Given the immediate impact the D.C. Circuit Court’s Maynard opinion has had among members of the judiciary at all levels, and the divergence of opinions among multiple federal circuits, it would seem the Supreme Court would not only be willing to weigh in on these issues, but might even be eager to do so.
Joseph Conn of Modern Healthcare called attention in a blog post yesterday to the almost complete absence of civil penalties imposed against violators of the HIPAA Security and Privacy rules, pointing out that without some credible evidence of enforcement for legal regulations, regulations such as HIPAA are an empty threat. In his post, he points to the frequently repeated public emphasis on privacy and security and their essential role in engendering trust among patients and other health care stakeholders as incongruous with the “friendly persuasion” HIPAA enforcement approach employed by the HHS Office of Civil Rights during both the current and previous administrations, basically concluding that the only way to achieve better compliance with the law is to strengthen enforcement. The statistical highlights provided by OCR itself regarding HIPAA compliants, investigations, and negotiated settlements and other resolutions certainly seem to suggest that non-compliance is a widespread issue, but in suggesting that legal requirements will be ineffective without more substantial enforcement, Conn suggests that at least a significant subset of HIPAA-covered entities and business associates consider the lack of enforcement an invitation to violate the law. Whether or not you agree with this specific argument, if its reasoning is correct, then the recommended corrective action (stronger and more proactive enforcement measures) on health care privacy and security cannot produce the trust that the government appears to be seeking. In an environment where individuals or organizations can only be expected to behave as they should due to the presence of legal or other sanctions, the participants cannot be considered to be trustworthy, and therefore should not expect to be trusted by those they interact with, whether individual patients, peer organizations, or government regulators. It seems entirely likely that relationships between different health care stakeholders — perhaps especially between health care entities and their regulators — are marked by distrust, rather than trust, and current government-led efforts to put effective governance, oversight, and enforcement mechanisms produced under the rubric of “trust frameworks” are more characteristic of distrusting relationships than they are of trust.
The American Civil Liberties Union (ACLU), joined by national associations representing defense lawyers and press photographers, filed a lawsuit in federal court this week challenging the U.S. Custom and Border Protection (CBP) policy on border searches of information in the possession of travelers, particularly including information stored on electronic devices such as laptop computers. The CBP policy, issued in July 2008, asserts the right of CBP personnel to examine computers, hard drives, and other electronic storage devices (as well as hard-copy material), without any need to show probable cause, suspicion, or justification of any kind. The policy also describes circumstances and operational guidelines under which CBP officers may take and hold information-containing devices in order to conduct thorough reviews of the information, potentially including using expert assistance to translate, interpret, or even break encryption if it has been used. Such detention is temporary (which legally apparently distinguishes it from seizure of the information), and the policy requires any copies of the information to be destroyed if, after review, no probable cause exists to seize it, but there are virtually no limitations on the type of information that may be reviewed.
The complaint filed by the ACLU challenges the CBP policy on Constitutional grounds, claiming causes of action under the Fourth Amendment because the border search policy and the searches performed under its authority allow warrantless, and in fact suspicionless, searches, copying, and detention of electronic devices and the data they contain, and under the First Amendment because the information reviewed by CBP includes expressive material protected by the free speech clause. The lead plaintiffs in the case include a doctoral student, a defense attorney, and a freelance photojournalist, all of whom have been detained on one or more occasions when traveling into the United States, and all of whom were subjected to searches of electronic devices in their possession when they passed through customs. The pending legal debate on this issue seems likely — as is often the case where homeland security is involved — to boil down to whether the government’s interest in ensuring compliance with and enforcing customs laws trumps reasonable expectations of privacy held by individuals traveling into or out of the United States.