Category: Privacy (Medical)


Can the TB Patient Sue the CDC?

cdc1.jpgThe WSJ blog points to this interesting update about the TB patient who was quarantined for having a highly-resistant strain of TB. I blogged about the case here and here. According to the news story, times aren’t very good from Andrew Speaker, the TB patient:

At National Jewish Medical and Research Center in Denver, where he was transferred from Grady, he received hate mail and death threats from people whom he said “turned on the news and saw this greedy, self-absorbed attorney.” At a congressional hearing, a representative referred to Speaker as a “walking biological weapon.” . . . .

Speaker was released from National Jewish on July 26, his treatment successfully completed. He takes 11 pills every morning at 8 a.m., supervised by public health officials who drop by on their way to work — a standard regimen he will follow for the next two years to make sure the TB has been fully eradicated. He’s in excellent health and has gone back to his previous routines, unmasked and unquarantined.

But his personal injury law practice is floundering, and his life is far from normal. His existing clients have stuck with him, but there have been no new clients since the ordeal began. The perception that he’s a selfish jerk who thought nothing of exposing others to a deadly disease lingers.

“The CDC told everyone that I only care about myself,” he said. “They made statements they knew were wrong. They intentionally went after my family and our character.” . . . .

His father’s practice has also suffered. Theodore A. Speaker, also a lawyer, has based his practice for 25 years on referrals from providers of prepaid legal services. Speaker said those companies stopped referring clients to his father after news of his TB broke because potential clients were afraid they’d catch TB if they came to Ted Speaker’s office, which he shared with his son.

Speaker is also being sued in Canada for $1.3 million by eight passengers on his flight from Prague to Montreal for potentially exposing them to TB plus pain and suffering. The brother of one passenger is also suing.

At the end of the article is this interesting tidbit:

Does Speaker have any plans to sue the CDC?

“They’re a federal agency. They have immunity,” he said in resignation. “It’s easier to think this guy is a jerk than that a government agency got together to intentionally misinform the public. That’s much harder to believe.”


According to the news reports, Speaker’s name was disclosed by government medical officials (probably CDC officials trying to cover their behinds for screwing up so badly). Medical officials have legal and ethical duties to maintain confidentiality. There’s also a potential Bivens action for a violation of the constitutional right to information privacy. See Whalen v. Roe, 429 U.S. 589 (1977). Most circuits recognize the constitutional right to information privacy, and it is violated by unjustified disclosures of personal information, especially medical data. For example, in Doe v. Borough of Barrington, 729 F. Supp. 376 (D.N.J. 1990), the court held that the police could be liable for disclosing to a person’s neighbor that the person was HIV positive. There are many other cases on point.

The short of it is that Speaker does have a case against the CDC if he can prove that CDC officials leaked his name and/or other medical information. It is clearly established that government officials have a duty of confidentiality of medical data under the constitutional right to information privacy in most circuits, so any qualified immunity claims would not bar liability (qualified immunity applies if the constitutional violation is not clearly established).

I sure think that there might be a case here.


Why There’s No First Amendment Right to Sell Personal Data

There are a number of really interesting cases pending in the First Circuit and its lower federal courts that raise questions of confidentiality and free speech in the context of the commercial trade in prescription drug information. In New Hampshire, Maine, and Vermont, data mining companies have raised First Amendment challenges to state laws that restrict the ability of pharmacists to sell information about which doctors prescribed which drugs. More information about these cases from the AP can be found here. I’ve written about this phenomenon here, arguing that there are sound doctrinal, jurisprudential, and policy reasons to reject any idea that regulation of the commercial data trade raises any serious First Amendment problems.

These cases all involve laws passed by states concerned about the sale of prescription information to data mining companies, who buy information about which doctors prescribe which drugs from pharmacies and then massage the data for use in marketing and other industry purposes. The laws vary in their particulars, but basically forbid or regulate the ability of pharmacies to sell the information. In April, a federal district court in the New Hampshire case struck down New Hampshire’s law under the Central Hudson test as violating the companies’ free speech rights. The First Amendment argument can be boiled down as follows: because the laws stop pharmacies from telling other people about their customers, they violate the pharmacy companies’ free speech rights and are therefore unconstitutional.

I think this is a silly argument, as I explain after the jump.

Read More



This morning, vindication! When a long New York Times investigative piece says exactly what you have been saying for a long time, it feels very good.

So it is with this morning’s thumbsucker [reg/$$ req’d] about the ridiculous overzealousness and misunderstanding of HIPAA by health care professionals. HIPAA is the Clinton-era law that was principally concerned with making health insurance portable, but has become better known for its privacy-protection requirements. (In fact, the statute largely delegated development of all the details of the privacy provisions to the Department of Health and Human Services, which engaged in a lengthy and torturous rulemaking process.) As recounted at length in the Times piece, many employees at hospitals, doctors’ offices, and insurance companies use the statute’s supposed requirements as a shield for bureaucratic inflexibility in releasing information, even to close family members of an incapacitated patient. I have had numerous encounters with just such ill-informed stubbornness myself, and I find it maddening. (You can only imagine some of the arguments I have had with telephone receptionists who blindly invoke HIPAA.)

In addition to the direct trouble it causes for patients and their family, I fear the continued misuse of HIPAA undermines support for all privacy regulation. This is the only direct contact many people will ever have with privacy law in action. Who could blame them if they conclude that legal privacy restrictions are for the birds? Disregard for patient privacy was widespread before HIPAA, and I have no doubt legal regulation was called for. There have been 27,778 complaints under the law. But those harms are less visible to most of us than the new harm of mindless overprotection.

What’s fascinating is that the excessive caution in response to HIPAA comes against a backdrop of extremely low risk of sanctions. Exclusive enforcement power lies with HHS — the law provides no private right of action. And HHS has never imposed any civil or criminal penalty (although there are three criminal cases ongoing at the moment, those situations are extreme outliers). What explains this risk aversion given the vanishingly small risk of any real penalty?

Read More

Vanity Taxes vs. Worthless Competitions

vanity.jpgNew Jersey adopted a “vanity tax” in 2004, levied on “any medical procedure performed on [an] individual which is directed at improving [his/her] appearance and which does not meaningfully promote the proper function of the body or prevent or treat illness or disease.” In a critique of the tax, Michael Duel argues that it is sexist and such surgery is frequently nondiscretionary:

Women can either feel inferior, enjoy a lower quality of life, and be rejected by mainstream society, or else suffer the pain and toil of cosmetic surgery to achieve the exact same ideals society uses to reject them.

Cosmetic surgeons have also railed against the tax, unctuously declaiming that it “discriminates against women” because they buy about 86% of the procedures.

NOW President Kim Gandy has a nice response to that canard:

In general, I’m opposed to most things that impact women disproportionately, but disproportionate use isn’t a good measure if a tax is unfair or not. I can’t imagine someone arguing against having a luxury tax on yachts because more of them are bought by men.

State Senator Karen Keiser is uppping the redistributive ante in Washington state, with a plan to earmark vanity tax revenue for health insurance for poor children. As one tax policy analyst claims, “In this anti-tax climate, these user-based, selective tax proposals are more palatable than broader ones.”

Duel also attacks the vanity tax as a matter of tax policy, but I have a feeling he misses its point. . .

Read More


Too Much Privacy for the Virginia Tech Shooter?

Marc Fisher, a Washington Post columnist, has a column in the Washington Post complaining about how privacy laws are getting in the way of the investigation into the background of the Virginia Tech Shooter. He writes:

But the Virginia state panel investigating the shootings has already done enough poking around to show that any effort at reform will run straight into a solid wall built out of federal privacy regulations. . . .

The state investigation has been unable so far to get hold of the records that would show how Seung-Hui Cho’s mental problems were dealt with by the university or the state.

Even though Cho is dead, his records remain under lock and key because of a federal privacy law that keeps medical records sealed…forever. In general, privacy rights expire when you do. That’s as it should be–what possible right to privacy can you have when you’re merely a memory?

When the feds were writing new privacy rules a few years ago, the government initially proposed to keep medical records confidential for two years after a person died. But the feds caved to privacy advocates who insisted that releasing such records could hurt living people, for example, if genetic information about the dead person were made public. . . .

The rules are now so wildly slanted toward keeping secrets that hospitals, doctors, mental health clinics, universities and others who deal with people like Cho can pretty much do whatever they want, without any effective public check on their handling of a case. Even after a mass murderer dies, it’s unnecessarily difficult to hold institutions accountable.

Fisher’s op-ed makes it sound as if the law absolutely bars the obtaining of the records. Fisher doesn’t mention any particular laws (he only links to an HHS comment about one rule under HIPAA, but not the rule regulating access to records) or even discuss the standards that the law requires. But if one were to actually look at the law, it becomes clear that Fisher’s gripe doesn’t really exist. Unless I’m missing something, state officials could simply get a court order or subpoena to obtain the records.

The law isn’t “wildly slanted” toward protecting privacy; nor does it erect a “solid wall” that prevents the investigation from getting the records. Nearly all privacy statutes allow government investigatory officials to obtain records with a mere court order or even a subpoena. The HIPAA regulations, for example, allow for the disclosure of health information pursuant to a court order or an “administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or a similar process authorized under law.” 45 C.F.R. 164.512(f). The Family Education Rights and Privacy Act (FERPA) allows officials to obtain school records with a mere “subpoena issued for a law enforcement purpose.” 20 U.S.C. 1232g (b)(1)(a)(J)(ii). Subpoenas are very easy to use. So what’s the big deal here?


More on Identifying the TB Patient

I blogged the other day about the inappropriate disclosure of the TB patient’s identity. Over at Chronicles of Dissent, Dissent has an interesting post worth reading about the issue. He quotes Dr. Martin Cetron, Director of Division of Global Migration and Quarantine at CDC, who said: “I don’t think, publicly naming the individual, which we never do, has any advantage in [faciliating contacting individuals at risk of contracting TB from exposure to the patient], since this is not a disease that’s spread by casual interactions with the public.” Dissent writes:

Certainly by now, the patient has been portrayed in a generally unflattering light in the media — as someone who was only concerned about his own needs and desires and who gave little thought to the health of others. Less media attention has been paid to his statements that he was never ordered not to fly, that at the time he left the country, he had not been diagnosed with the dangerous treatment-resistant strain, and that after they contacted him in Europe to inform him, he felt the CDC did not move quickly enough to make arrangements for his safe travel back to the U.S. for treatment — so he made his own arrangements.

Check out the full post for more about the issue.


Identifying the TB Patient

tb-patient2.jpgThe other day, I blogged about the TB patient who flew to Europe and back with the knowledge that he had a rare form of TB. The media had been reporting on the case for a while, and the man’s name was not identified until a day or two ago, when a number of stories began including his full name and photograph [one photo is included in this post; I have obscured his face], as well as the name and photographs of the woman he married (including photos from his wedding).

Although I find the man’s conduct to be irresponsible, I don’t think it was appropriate to identify him. I bet that revealing his name will result in threats and attempts at vigilantism, possibly putting him and his family at risk of harm. It will also severely hurt his reputation and perhaps even his career. Some might say that he deserves such consequences, but I believe that the most appropriate sanctions are legal, not extra-legal. I have blogged extensively about my thoughts about such community mob “justice” here.

Was it appropriate for the media to publish his name and photograph? The name and photograph of his wife? I am curious about how his name got leaked. If one of his physicians released it, or if a government official at the CDC or elsewhere released it, he might have a cause of action for breach of confidentiality or public disclosure of private facts.

UPDATE: Dissent (a commenter to my post) points to an AP story that provides an answer to how the man’s identity was revealed. According to the AP:

The tuberculosis patient under the first federal quarantine since 1963 is a 31-year-old personal injury attorney who practices law with his father in Atlanta, a federal law enforcement official said Thursday.

The official, who asked to remain anonymous because he was not authorized to talk about the case, identified the patient as [name]. A medical official in Atlanta also confirmed the patient’s name on condition of anonymity.

Barring facts I’m unaware of, such a disclosure by the government official seems improper and probably illegal. It might well be a violation of the TB patient’s constitutional right to information privacy. The confirmation of the patient’s identity by the medical offical in Atlanta would be a breach of confidentiality. It is surprising that these individuals disclosed the man’s name. They clearly knew better, as the federal official indicated he wasn’t supposed to speak about the case and the medical official requested anonymity. This strikes me as a willful disregard for the law, and I hope that these officials will be punished, let alone successfully sued by the TB patient.


DNA Sampling — For Everyone?

dna11a.jpgThe New York Times reports:

The Justice Department is completing rules to allow the collection of DNA from most people arrested or detained by federal authorities, a vast expansion of DNA gathering that will include hundreds of thousands of illegal immigrants, by far the largest group affected.

The new forensic DNA sampling was authorized by Congress in a little-noticed amendment to a January 2006 renewal of the Violence Against Women Act, which provides protections and assistance for victims of sexual crimes. The amendment permits DNA collecting from anyone under criminal arrest by federal authorities, and also from illegal immigrants detained by federal agents. . . .

The goal, justice officials said, is to make the practice of DNA sampling as routine as fingerprinting for anyone detained by federal agents, including illegal immigrants. Until now, federal authorities have taken DNA samples only from convicted felons.

The collection of DNA is now expanded to arrestees, whereas before it was for convicted criminals. Does the fact that it applies to arrestees–people who could be innocent of crimes–change the privacy implications? In the past, I’ve posted about whether there should be a national DNA database for everyone. The arguments made on behalf of the DNA database for arrestees and convicts could readily apply to such a broader DNA database. I wrote:

The benefits of using DNA identification are quite significant, since many people who have been wrongly convicted based on erroneous eye witness testimony (which is very unreliable) have been exonerated with DNA. Adding more DNA profiles will improve the database.

Nevertheless, I am very wary of the power the database gives the government. Since we leave trails of our DNA wherever we go, it might be possible to link particular people to particular places. That’s what is done with crime scenes, but what if the use expanded beyond crime scenes?

For those who are unconcerned about the collection of DNA for arrestees, what if the DNA database contained the DNA of all citizens? After all, if it is beneficial in investigating crime and can be extended to arrestees who are later exonerated, why not take the next step and extend it to everybody? Would this pose a problem?

Hat tip: Deven Desai


Online Blacklisting of Medical Malpractice Plaintiffs

stethoscope.jpgIn a disturbing development, websites are emerging to create blacklists of individuals who file medical malpractice claims. According to an article at

In 2004, a group of Texas physicians launched The site listed the names of plaintiffs, attorneys and expert witnesses in medical malpractice cases. That site did not make any distinction between cases that ended in plaintiff verdicts and those that ended in defense verdicts or settlements.

According to the New York Times, a North Texas man had trouble finding a physician for his 18-year old son after his name was posted on the site. He had filed a medical malpractice suit after his wife died from a missed brain tumor, and had won an undisclosed settlement. was shut down four days after the Times article was published.

A new website to blacklist medical malpractice plaintiffs has emerged, called According to the article:

In the latest effort to enable doctors to shun patients who sue, an offshore company has launched an Internet site that lists the names of plaintiffs who have filed medical malpractice cases in Florida and their attorneys.

The site,, encourages doctors to consider avoiding patients who are listed in the database, and it strongly encourages plaintiffs who have lost their cases at trial to turn around and sue their plaintiffs attorney. . . .

Unlike the Texas site, plans to list only plaintiffs who filed cases that ended in a defense verdict, a settlement, or a plaintiff verdict on only one count while other counts were dismissed.

The overwhelming majority of med-mal cases that go to trial result in defense verdicts. A large percentage of claims never go to trial, and many of those result in settlements. Some experts say that it’s not possible to say that cases are “frivolous” just because they don’t result in a plaintiff verdict.

The article also discusses an interesting study about medical malpractice lawsuits:

Read More


HIPAA’s Lax Enforcement

hipaa3.gifToday’s Washington Post has an interesting story about how the privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA) are not being enforced:

In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases.

Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records.

The government has “closed” more than 73 percent of the cases — more than 14,000 — either ruling that there was no violation, or allowing health plans, hospitals, doctors’ offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty.

“Our first approach to dealing with any complaint is to work for voluntary compliance. So far it’s worked out pretty well,” said Winston Wilkinson, who heads the Department of Health and Human Services’ Office of Civil Rights, which is in charge of enforcing the law.

While praised by hospitals, insurance plans and doctors, the approach has drawn strong criticism from privacy advocates and some health industry analysts. They say the administration’s decision not to enforce the law more aggressively has not safeguarded sensitive medical records and has made providers and insurers complacent about complying.

The lax enforcement of HIPAA could be addressed if HIPAA were to have a private right of action. Currently, HIPAA doesn’t provide a way for individuals to sue for privacy violations. HIPAA would be more effective with a private right of action, which would prevent enforcement from being stymied whenever an agency isn’t interested in enforcing a law. The Bush Administration has little love for the HIPAA privacy regulations, which it tried to kill when it took over power from the Clinton Administration. Instead of killing HIPAA, the Bush Administration rewrote parts of the regulations, weakening them significantly. And now, the strategy seems to be to let the HIPAA regulations sink into irrelevance.