Security and privacy after September 11: the health care example

This article examines the interaction between data privacy, which was a highly salient political issue before the events of September 11, and cyber-security and homeland security, which became much more salient after those events. The article illustrates the shift in salience by examining the USA-PATRIOT Act, which was passed quickly in the fall of 2001 despite containing a number of surveillance provisions that had been explicitly rejected by Congress in 2000. To understand the interaction between privacy and security, the article examines the medical privacy rule issued in 2000 under the Health Insurance Portability and Accountability Act (HIPAA). (In the interests of full disclosure, the authors were the lead White House officials in coordinating the privacy rule.) The analysis here shows that the HIPAA rule stands up well to the concerns of the post-September 11 era. Concerns about public safety are met by existing provisions that permit disclosures to protect national security, to react to emergency circumstances, and to respond to law enforcement inquiries. The article explores in particular detail the proposed Model State Emergency Health Powers Act, drafted in the wake of the 2001 anthrax attacks. Professors Lawrence Gostin and James Hodge have argued that this Act is justified by a new "model of information sharing" for medical information. Our article concludes that public health concerns are appropriately addressed by the current HIPAA rule, and that a "model of information sharing" sends precisely the wrong signal about how the health system will handle issues of data privacy and security. More generally, the article analyzes situations of "security vs. privacy", where the two values are antagonistic, and situations of "security and privacy", where the two values work together. Security in some instances means greater surveillance, information gathering, and information sharing. For instance, law enforcement can monitor the online movements of hackers or hospitals can more quickly report cases of anthrax infection. These situations of "security vs. privacy" are defined as instances where security is promoted by getting information to the proper decisionmakers. As these information flows increase, privacy decreases. By contrast, security measures often promote privacy. Good security is one of the standard privacy fair information practices, because otherwise any hacker can get into a sensitive database. Good security, moreover, creates audit trails about which authorized users have accessed particular systems or data. Such auditing mechanisms promote the fair information practice of accountability, by deterring wrongdoing and making enforcement more effective. Finally, the authors explain how the most cost-effective and thorough implementation of privacy occurs at the time of a computer system overhaul. This approach is fundamental to HIPAA, which provided that privacy and security protections should be built at the same time as the shift to electronic health records. The new emphasis on security after September 11, in short, is a major strategic opportunity to improve data handling practices in general, for both security and privacy.