The Associate Director of Research & Education for the Consortium on Law and Values in Health, Environment & the Life Sciences and the Joint Degree Program in Law, Health & the Life Sciences conducts research relating to law, biomedicine, the life sciences, and bioethics; collaborates on grants; generates original scholarship; teaches graduate and professional students; and helps lead the Minnesota Journal of Law, Science & Technology.

Our previous Associate Director, the very talented Jordan Paradise, is leaving to take a tenure-track faculty position at Seton Hall Law School. Please spread the word about this great opportunity!

The widespread perception is that information privacy laws make it difficult to respond effectively to troubled students. This perception is only partly correct. Privacy laws can block some attempts to share information, but even more often may cause holders of such information to default to the nondisclosure option — even when laws permit the option to disclose. Sometimes this is done out of ignorance of the law, and sometimes intentionally because it serves the purposes of the individual or organization to hide behind the privacy law. A narrow interpretation of the law is the least risky course, notwithstanding the harm that may be done to others if information is not shared.

Privacy statutes are far from perfect, of course — the report highlights some inconsistencies between the federal privacy laws governing health care (HIPAA) and education (FERPA). But the more significant flaw is a widespread system failure where institutional over-reaction to privacy statutes prevents even their most optimally balanced provisions from working properly. This risk-aversion surely is not based on over-enforcement. I believe it is still true that no one has ever been fined for violating HIPAA. It seems the problem is the complexity of the rules, both real and perceived. Maybe this report will kick-start efforts to solve that problem, but I’m not optimistic.

This morning, vindication! When a long New York Times investigative piece says exactly what you have been saying for a long time, it feels very good.

So it is with this morning’s thumbsucker [reg/$$ req'd] about the ridiculous overzealousness and misunderstanding of HIPAA by health care professionals. HIPAA is the Clinton-era law that was principally concerned with making health insurance portable, but has become better known for its privacy-protection requirements. (In fact, the statute largely delegated development of all the details of the privacy provisions to the Department of Health and Human Services, which engaged in a lengthy and torturous rulemaking process.) As recounted at length in the Times piece, many employees at hospitals, doctors’ offices, and insurance companies use the statute’s supposed requirements as a shield for bureaucratic inflexibility in releasing information, even to close family members of an incapacitated patient. I have had numerous encounters with just such ill-informed stubbornness myself, and I find it maddening. (You can only imagine some of the arguments I have had with telephone receptionists who blindly invoke HIPAA.)

In addition to the direct trouble it causes for patients and their family, I fear the continued misuse of HIPAA undermines support for all privacy regulation. This is the only direct contact many people will ever have with privacy law in action. Who could blame them if they conclude that legal privacy restrictions are for the birds? Disregard for patient privacy was widespread before HIPAA, and I have no doubt legal regulation was called for. There have been 27,778 complaints under the law. But those harms are less visible to most of us than the new harm of mindless overprotection.

What’s fascinating is that the excessive caution in response to HIPAA comes against a backdrop of extremely low risk of sanctions. Exclusive enforcement power lies with HHS — the law provides no private right of action. And HHS has never imposed any civil or criminal penalty (although there are three criminal cases ongoing at the moment, those situations are extreme outliers). What explains this risk aversion given the vanishingly small risk of any real penalty?

The article points to one cause: the regulations are long and often vague (though not as bad as some claim); it is always easier to say “no” than to figure out how to say “yes.” HHS must do a better job at presenting plain-English materials. Training of front-line staff — who often have the most public contact — also needs to improve. There are policy changes that could help with these problems, starting with greater effort at HHS.

In addition, I blame the army of consultants who descended on the health care industry after HIPAA passed and exaggerated its complexity to claim that only retention of their high-priced services could ensure compliance. Many offices are still spooked by that sales pitch. Increased clarity from HHS might help here too.

Finally, I agree completely with the HHS official who told the Times,

“Either innocently or purposefully, entities often use this as an excuse. They say ‘Hipaa made me do it’ when, in fact, they chose for other reasons not to make the permitted disclosures.”

I call this last phenomenon “HIPAA-cracy.” You often see the same mindset in dealing with, say, insurance coverage disputes. Inflexibility and unhelpfulness are all too often a part of the modern health care experience. And I’m not sure whether any amount of careful regulatory design can overcome that.

We’re all familiar with the sort of identity theft where bad guys steal your personal data in order to get access to your money — or more often your good credit history — for financial gain. But what about those who impersonate others in online communications by deceptively adopting a real person’s name as a pseudonym?

That appears to have happened, bizarrely, to law prof and prolific blogger Frank Pasquale, as he explains at Concurring Opinions. A Blogger page called “The Paris Site” (cute pun) is a detailed gripe site about the local hospital in Paris, Texas and its parent company, Essent Healthcare. According to this news story in the local Paris paper, Essent has sued the anonymous bloggers behind the site for defamation, alleging that the site suggests the hospital is culpable for Medicare fraud and other wrongdoing. The blogger(s) use various pseudonyms, including, at one point, “Frank Pasquale.” The state court judge in the case has ordered a local ISP to provide the real name and address of the site’s proprietor.

This sort of thing occurs fairly frequently online. On political blogs you often see commenters signing the name of elected officials, usually to parody them by making sarcastic or ridiculous remarks in their name. You also see it all the time on sites like AutoAdmit/XOXOHTH, where part of the style of so-called joke is to use other people’s names (or screen names) and turn them into sock puppets. If obvious enough as humor, those may or may not be misleading, but I have little doubt that this sort of impersonation also happens in many contexts that are outright deceptive.

Speaking completely hypothetically, does Frank have a cause of action against the bloggers too?

I think he does. It could be defamatory to attribute comments to Frank that he did not make, at least if they harm his reputation as a trustworthy scholar and blogger. And in states that recognize the tort of appropriation, the unauthorized use of someone else’s name for your own benefit is unlawful. Of course, such litigation would be an expensive and complicated undertaking, and usually not worthwhile. Short of suing, though, the best remedy is, as Frank suggests, regular self-googling. I have been advising people to do this for some time. Even if you don’t actually spot someone stealing your identity, it gives you a sense of how others perceive you when they search for you online — a more important component of your persona all the time.

Finally, two asides about this particular case:

First, we are going to see more and more of these motions to disclose the identity of John Doe defendants in cases involving pseudonymous or anonymous online speech. It seems clear to me that there needs to be a mechanism for plaintiffs who are truly harmed by such speakers to hold them accountable in court (including in legitimate IP infringement cases). On the other hand, it should not be a routine procedural formality to unmask anonymous speakers just because you filed a complaint with some allegations. Our system is extremely lenient toward complaints at the initial or “pleading” stage. There is tension here with underlying fundamentals of civil procedure, because we would need a judge to make some assessments of the lawsuit’s merit at the very outset. This happens to some degree when plaintiffs seek preliminary injunctions, but in those situations at least the defendant is already at the table. There is more work to be done in developing appropriate standards for these ISP subpoenas.

Second, I have not seen the complaint, but based on the newspaper story alone I wonder whether the hospital’s case is very strong to begin with. It seems to allege defamation and violation of patients’ privacy.

On defamation, many of the newspaper’s quotations from the Paris Site seem to be statements of opinion that are not actionable, for example: “This isn’t Nashville or Boston or Dallas or Austin. It is a community that you wounded and are sucking out the life’s blood. We don’t like your style of vampires.” Clearly this is not an accusation that Nosferatu actually works at the hospital in Paris, Texas. The most likely candidate for defamation — again, just going on the news report — is this insinuation: “Apparently Medicare fraud is in the air, and PRMC is looking for a scapegoat. Billing practices from the rehabilitation unit are suspect, as well as vascular ultrasound studies billed by the hospital, but done by unregistered technologists.” I’m not sure, and I’d need to see it in context, but this may also skirt the boundary of defamation if it can be found to raise questions based on reliable information rather than to state flatly that the hospital is engaged in wrongdoing.

As to the patient privacy angle, what gives the hospital standing to sue on behalf of its patients? Not the privacy torts. Not HIPAA, which provides no right to sue (and anyway, a loophole in HIPAA means that individuals who are not “covered entities” cannot be held liable for breaches under the statute, as explained in this DOJ memorandum — the topic of an excellent seminar paper by one of my students last year). Again, I have not seen the complaint, but this does not sound like a slam-dunk case. If it is harassment against a gripe site — if that’s what’s really happening — then I hope these bloggers can find themselves a good pro bono lawyer.

Will doesn’t seem to oppose genetic testing generally; he doesn’t want to provide pregnant women with certain information (or, perhaps, opposes mandating its provision) because he is concerned about their behavior in response to it. Information control, then, is a second-order move: banning abortion is currently impermissible constitutionally, and convincing women to carry babies with Down to term is evidently an unsuccessful proposition. (Will states that 85% of pregnancies where the fetus is diagnosed with Down syndrome end in abortion.)

Some might object to Will’s position either because of his conservative politics or because of concerns about limiting choice. There are parallel situations that would likely worry liberals, too, though. India regulates genetic testing (Word document) due to concerns that parents will abort female fetuses.

There are three problems with this approach. First, censorship is clearly a second-best (if that) solution. Changing the underlying behavior is preferable; Will’s sensitive treatment of Jon, a person with Down syndrome, may be helpful in this regard. Second, banning information works like banning narcotics: it shifts from a legal to a black market for information, increasing both its cost and its risk. If we took the strong version of Will’s position and banned the Down test, we could safely anticipate that wealthy expecting parents could pay the risk premium to get the test, while less well-off pregnant women could not. This would lead to the counterintuitive, and likely undesired, result that children with Down syndrome would be more likely to be born to families with fewer resources to help meet their particular needs. Again, altering the underlying bias against children with Down syndrome is a better approach.

Finally, in a legal regime where abortion is lawful, access to information poses hard questions. Should we ban genetic tests for Tay-Sachs Disease? What about neural tube defects? The question is what alterations from standard fetal health should be diagnosed, and which ones society views as proper grounds for termination of a pregnancy. If we know that 85% of parents would abort a fetus with a given condition, how should we treat a test that provides them with information about whether their baby has that condition?

Regulating information is often easier or cheaper than regulating conduct, but it has a number of flaws: it favors those who can buy their way around barriers, and it avoids hard questions about the underlying behavior that is undesirable (the information, after all, is formally neutral). I’m worried that Will is taking the easy way out.

However, there are at least two concerns. First, interoperability is what makes EMRs work. If the new rules encourage fragmentation, rather than standards-based records, they will hurt patients rather than helping them. Second, even donated technology and services can influence a physician’s decision regarding referred care. This may be an acceptable trade-off for enhanced EMR and e-prescribing adoption, but it’s one we should mull over.

Props to Joe Perry, a colleague and friend who’s working with me on a paper about the unexpected costs of the Health Insurance Portability and Accountability Act (HIPAA), for the pointer. Joe’s a manager at IBM and a Ph.D. candidate at Northeastern University’s program on Law, Policy and Society.

I’m fascinated with this problem – how information, and how it’s presented, affects human decisions and the way law tries to regulate them – and have a paper coming out soon that looks at the tension between cognitive biases and the theory of the “marketplace of ideas.” Even random information can alter our analysis. To give one famous example, Amos Tversky and Nobel laureate Daniel Kahneman spun a wheel of fortune with numbers from 0 to 100 in front of study participants. Next, Tversky and Kahneman asked the subjects to estimate how many African countries were in the United Nations. Lo and behold, the spin results significantly affected people’s estimates – even though they had no bearing whatsoever on the correct answer.

What does it mean for law and policy when how information is framed alters the choices we make based on it? For example, what is the “correct” way for doctors to present data on risks to patients, knowing that discussing it in terms of the risk of dying (mortality) versus the probability of living (survival) – flip sides of the same coin – will shift the resulting decision? What should the law require for “informed consent“? Should doctors reveal a tiny risk of a gruesome death if they know, empirically, patients will give undue weight to that possibility?

I don’t know the answers to these questions. I submit to you that information law must grapple with them if it wishes to guide regulation effectively.

In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases.

Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records.

The government has “closed” more than 73 percent of the cases — more than 14,000 — either ruling that there was no violation, or allowing health plans, hospitals, doctors’ offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty.

This is a problem for lots of privacy regulation. Government enforcement agencies tend to prefer “big fish” and egregious infractions, and data privacy breaches often involve just the opposite: multiple smaller entities (here, many hospitals and doctors’ offices) whose individual violations, while very important to those they injure, do not add up to huge aggregate impact.  And the basic civil fine is a measly $100 per violation.  In that situation, limited resources for enforcement are somewhat predictable.