The Confusion Over Privacy: HIPAA, the Constitution, and COVID-19
The right to privacy has always been heavily debated, especially because the Constitution does not provide any definitive right of privacy. But the battle regarding privacy in healthcare seemed to have been resolved with the passing of the Healthcare Insurance Portability and Accountability Act (HIPAA) in 1996. However, reacting to the COVID-19 pandemic the Office of Civil Rights (OCR) and other agencies suspended important aspects of HIPAA and Congress passed the, ‘Coronavirus Aid, Relief, and Economic Security Act,’ (CARES Act). The CARES Act now creates a paper trail of someone’s health status that will follow them through countless areas of life. The reaction to COVID-19 has created the exact atmosphere that HIPAA aspired to eliminate. The present-day incentives for releasing patient information ultimately begs for constitutional analysis. Was HIPAA the Constitution’s unofficial Privacy Amendment? Is it unconstitutional to suspend HIPAA? Is the CARES Act in violation of HIPAA and/or the Constitution?
The Constitution and Privacy
Jacobson v. Commonwealth of Massachusetts, 197 U.S. 11 (1905), is one hundred and fifteen years old, but the case will frame many impending constitutional questions regarding the COVID-19 pandemic. The law that Massachusetts passed in Jacobson stated, “the board of health of a city or town, if, in its opinion, it is necessary for public health or safety, shall require and enforce the vaccination and revaccination of all inhabitant thereof, and shall provide them with the means of a free vaccination.”1. The rationale behind the law was because “smallpox [had become] prevalent to some extent in the City of Cambridge, and [continued] to increase. Cambridge believed it necessary for “speedy extermination of the disease,” that all persons who had not been vaccinated should be required to do so.2
Defendant in Jacobson, claimed degradation of his rights that are secured by the 14th amendment, namely; “[N]o state shall make or enforce any law abridging privileges or immunities of citizens of the United States nor can any person per deprived of life, liberty, or property without due process of the law.”3 The Court struck down defendant’s argument; “the authority of the state to enact this statue is to be referred to…the police power-a power which the state did not surrender when becoming a member of the union under the Constitution.”4 “The Court has refrained from any attempt to define the limits of that power, yet it has distinctly recognized the authority of a state to enact quarantine laws and ‘health laws of every description.’”5 “According to settled principals the police power of a state must be held to embrace at least, such reasonable regulations established directly by legislative enactive as will protect the public health and public safety.”6
Considering the COVID-19 pandemic, questions regarding vaccination will surely surface again. However, a question not necessarily addressed in Jacobson, but heavily overlaps with vaccination inquires is, privacy. “Virtually every governmental action interferes with personal privacy to some degree. The question in each case is whether that interference violates a
command of the United States Constitution.” Katz v. United States, 389 U.S. 367, 350 (1967). The Constitution does not explicitly give the right of privacy; rather, it has been the courts who have read privacy into clauses of the Constitution.
In Katz v. United States, 389 U.S. 347 (1967), Justice Stewart, wrote for the majority and created the right of personal privacy. He found privacy roots in numerous constitutional amendments freeing the, “[T]he Fourth Amendment [from being] translated into a general constitutional ‘right to privacy.’7 The Court held the 14th Amendment protects individual privacy against certain kinds of governmental intrusion, but the Amendment’s protections go further, and stray from focusing solely on privacy rights. Moreover, the Court found other provisions of the Constitution which protect personal privacy from forms of governmental invasion.8 In footnote 5, Stewart listed his findings; the First Amendment prevents governments from interfering with the freedom to associate and privacy in one’s associations; the Third Amendment prevents the quartering of soldiers during peacetime; lastly, the Fifth Amendment also shows “the right of each individual to a private enclave where he may lead a private life.”9
In another landmark privacy case, United States v. Jones, 565 U.S. 400, 404 (2012), Justice Scalia writing for the Supreme Court, proclaimed, “[T]he Fourth Amendment provides in relevant part that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.””10 The Court relied on Katz, “we said that “the Fourth Amendment protects people, not places,” and found a violation in attachment of an eavesdropping device to a public telephone booth. Our later cases have applied the analysis of Justice Harlan's concurrence in that case, which said that a violation occurs when government officers violate a person's “reasonable expectation of privacy,””11
New regulations have expanded patient privacy since the Jacobson case, namely, the Health Insurance Portability and Accountability Act (HIPAA).12 HIPAA had two explicit purposes; “One was to ensure that individuals would be able to maintain their health insurance between jobs.”13 This is the Health Insurance Portability part of the Act. “The second part of the Act is the "Accountability" portion. This section is designed to ensure the security and confidentiality of patient information/data.”14 In addition, HIPAA mandates uniform standards of privacy for electronic patient health information and data that is transmitted during the normal course of care. Within HIPAA is “The Privacy Rule,” which mandates and unifies privacy regulations for patients’ protected health information (PHI) with the enumerated goal to protect patients’ records during the changing insurance landscape in 1996.15 A new form of safety was provided to patients through HIPAA by explicitly preventing health plans from denying eligibility because of health status; medical condition; mental illness; genetic information; disability; and other evidence of insurability.16
This was a remarkable step toward privacy for patients. Anecdotes like the following were maxims of the pre-HIPAA era. An executive at a finance company during the early ‘90s recalled how difficult to function it was dealing with his undiagnosed bipolar disorder,
I began hallucinating and became suicidal. I wouldn’t dare see a psychiatrist, for if I did it would be in my health records and my career would be over. I knew that companies received detailed updates about employee health insurance claims, and that these updates often made it easy to…identify the employees making the claims. I didn’t want my employer to know I was going crazy. The only way to protect myself…was to not have this information available at all. The only way to do that was to not get treated for a mental illness.17
Because of pre-HIPAA horror stories, “Individually identifiable health information” was explicitly protected, which included, demographic data that relates to: the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)18 HIPAA’s unique provision against sharing information that could deduce the patient’s identity proves the seriousness of the Privacy Rule. Not only is sharing a patient’s demographic data precluded but being able to reasonably identify the patient is also a HIPAA violation.19
Prior to COVID-19, under HIPAA, covered entities could disclose PHI to public health authorities when the dissemination is authorized by law for preventing or controlling disease, injury, or disability…and in regards to individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law.20 The notable aspect of the original regulation is how narrowly tailored the need for disclosure is. Only when authorized by law could any PHI be released to these public health officials. HIPAA also contains a preemption provision titled, “Effect on State law,” which states; “Except as provided…a provision or requirement under this part… shall supersede any contrary provision of State law.”21 It is imperative to remember the intent behind HIPAA, “In HIPAA, Congress directed the Secretary to promulgate rules and regulations designed to ensure the privacy of patients' medical information.”22 There can be no doubt of HIPAA’s intent, it is self-proclaimed in the very first line; “This regulation…[is] to protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information.”23 The preemption provision of HIPAA proves the strength Congress intended HIPAA to have. Preventing states from undermining provisions of HIPAA, the preemption provision makes HIPAA a blanket rule providing a minimum level of privacy for patient’s in all states.
COVID-19 and HIPAA
The Office for Civil Rights (OCR), U.S. Department of Health and Humans Services (HHS) released a bulletin entitled, HIPAA Privacy and Novel Coronavirus, released February of 2020 (hereinbelow, bulletin), which presented guidelines for how HIPAA will be affected as OCR reacts to the public health emergency.
First change is as follows:
Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient (emphasis added)
A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large.24
Finally, HHS issued, “Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health;”
To facilitate uses and disclosures for public health and health oversight activities during this nationwide public health emergency, effective immediately, OCR will exercise its enforcement discretion and will not impose penalties against a business associate or covered entity under the Privacy Rule. (emphasis added)25
These guidelines completely dilute the “The Privacy Rule” of HIPAA, which had mandated and unified privacy regulations for patients’ PHI. Now HIPAA has been disregarded through the latest provision of the United States Code released on March 27,2020 42 U.S.C.§ 1320b-5 entitled, “Authority to Waive Requirements During National Emergencies,” which stated “[T]he patient’s right to request privacy restrictions; and the patients’ right to confidential communications,’ has been waived.” (emphasis added)
Alas, this pandemic does presently exist, and the ultimate question is, ‘How much PHI should be publicly shared?’ The HIPAA Privacy Rule as it stood required, “when protected health information is used or disclosed, only the information that is needed for the immediate use or disclosure should be made available by the covered entity,” this is known as the minimum necessary standard. (emphasis added)26 The minimum necessary standard does not apply to; 1) disclosures or requests by a health care provider for treatment purposes; 2) disclosures to the patient when requested by the patient; and 3) uses and disclosures made with the patient’s authorization.27 Further, the minimum necessary standard required covered entities to evaluate their practices and enhance protections as needed to “limit unnecessary or inappropriate access to protected health information. It is intended to reflect and be consistent with, not override, professional judgment and standards.”28 Therefore, HIPAA intended medical professionals to decide what information was necessary to disclose. Medical professionals have always been encouraged to have open communication when discussing a patient’s treatment, but information requested by public health officials must always be “the minimum necessary for a public health purpose.”29 HHS released the following about PHI; “Information is essential fuel for the engine of health care. Physicians, medical professionals, hospitals and other clinical institutions generate, use and share it to provide good care to individuals, to evaluate the quality of care they are providing, and to assure they receive proper payment from health plans.”30 The focus was on the individual professional and their relationship to the individualized care of a single patient.
COVID-19 HIPAA Violations
An example of a notable HIPAA violation can be found in a New York Times Article, published prior to OCR’s bulletin. The Health Commissioner of New Jersey released personal information about the first death in New Jersey from the coronavirus.31 “The man, who was 69 and lived in Little Ferry, a small Bergen County town about 15 miles northwest of Manhattan, had gone to his doctor last week complaining of a fever and a cough, the state’s health commissioner, Judith Persichilli, said.”32 The article continued, “The man, identified by a close friend and an official at Yonkers Raceway as John Brennan, was treated with antibiotics and Tamiflu, an antiviral medication given to alleviate flu symptoms, but Mr. Brennan did not improve.” The article stated that Mr. Brennan had been admitted to Hackensack University Medical Center, and stated Mr. Brennan had a “history of serious health problems, including diabetes, high blood pressure and emphysema."33 The public also learned Mr. Brennan was the nighttime field representative for a horse-owner association, and Mr. Brennan’s friend of 35 years, Joe Faraldo, was interviewed about their friendship. Further, the health commissioner stated, “[Mr. Brennan] went into cardiac arrest on Monday night, but was revived… Tuesday morning, Mr. Brennan had a second heart attack, this one fatal. Lastly, Mr. Brennan was single and had no children, and regularly traveled into New York City after leaving work.34 Prior to COVID-19, HIPAA had an axiomatic presence in healthcare and therefore, Mr. Brennen even in death could rely on HIPAA to protect his PHI. He could also rely on the reasonable expectation of privacy for people to be secure in theirpersons derived from the Katz case.
However, the press was informed by a public official who described, in detail, the life of New Jersey’s first COVID-19 victim. Though the disclosure was made in good faith, COVID-19 is leading to reactive regulations. These orders need to be reflected on as the crisis continues, and specifically it is important to consider the need of each piece of PHI that is to be released. Reminding officials of the minimum necessary standard in HIPAA would not place a heavy burden on those officials, rather that standard is being presently implemented on the West Coast.
The West Coast has taken a different approach to revealing PHI. Departments in the Bay Area make the case that releasing more granular data could heighten discrimination against certain communities where there might be clusters.35 The first cases in the Bay Area were among ethnic Chinese residents returning from trips to China.36 “Pandemics increase paranoia and stigma,” said Dr. Rohan Radhakrishna, the deputy health officer of Contra Costa County, across the Bay from San Francisco, which provides only the total number of cases in the county on its website.37 “We must be extra cautious in protecting individuals and the community.”38 Therefore, the county’s public information office says it will not publicly disclose the number of cases in each city because doing so could make individuals more easily identifiable.39
Dr. Jeffrey V. Smith, the county executive for Santa Clara County, who is both a medical doctor and a lawyer, argues that more precise geographical information about the spread does not help combat the virus.40 This is significant considering Santa Clara County has recently been reported as the location of the first two deaths in the United States from COVID-19.41 “Reporting positive tests with a census tract or a city name provides data that is not helpful,” Dr. Smith said. “In fact, such data has the risk of stigmatizing areas and regions of the country in a way that does not help.”42 The approach Dr. Smith discussed relates back to HIPAA’s unique provision against sharing information that could deduce the patient’s identity.43 Furthermore, Dr. Smith believes sharing regions where patients have been is “not helpful,” resulting in unnecessary stigma.44
Regarding stigma, the Centers for Disease Control (CDC) released a note about daily life and coping with the COVID-19 crisis. These are “stressful times for people and communities. Fear and anxiety about a disease can lead to social stigma…for example stigma and discrimination can occur when people associate a disease, such as COVID-19 with a population or nationality…stigma can also occur after a person has been released from quarantine even though they are not considered a risk for spreading the disease to others.” The note was clear; “Stigma hurts everyone by creating fear or anger towards other people…stopping stigma is important to make communities and community members resilient.”45
Therefore, the dichotomy between these examples from the East and West coast are more than a differences in opinion, rather they are evidence of competing privacy values.
PHI in the courts
Prior to COVID-19 courts struggled with finding appropriate times to publicize PHI. The court in, People v. Carrier, 309 Mich. App. 92 (2015), admitted to grappling with the decision regarding PHI because of the scarce legal guidance available.46 The case dealt with 911 calls where defendant made a terrorist threat over the phone to a mental health crisis hotline.47 “The prosecution relied, in part, on phone communications between defendant and [the] emergency services specialist while the specialist was manning a mental health crisis hotline.”48 After the call, the emergency services specialist called 911 and reported specifics of the threats defendant had disclosed during the specialist’s previous phone conversation with defendant.49 “Defendant argued that his conversation with the emergency services specialist and the related 911 recording concerned privileged communications and were thus inadmissible in the criminal case brought against him.”50
The court announced their need for guidance, “We are not aware of any precedent from the United States Supreme Court that has addressed the issue of privilege under a set of facts similar to those presented here. The opinions from lower federal courts on the subject [for situations] even arguably comparable [to the facts of this case] are indeed sparse. We thus are not prepared to conclude that defendant's communications...were generally privileged under definitive federal law. On the other hand, with respect to state law and as explained hereinafter, there is clear statutory support for the conclusion that defendant's communications were, in general, confidential and privileged.”51 However, the court ultimately held that the specialist acted to protect the safety of a third person from a patient who voiced a threat of physical violence against the person to a treating mental health professional. A mental health professional has a duty to make a “reasonable attempt to communicate a particularized threat to a threatened third person in conjunction with communicating the threat to the police.”52
An error performed by the Carrier court was failing to include HIPAA in their analysis. Recall the preemption provision included in HIPAA, “Effect on State law,” which states; “Except as provided…a provision or requirement under this part… shall supersede any contrary provision of State law.”53 The Carrier court did not use a provision in HIPAA to release the information disclosed during the 911 call. Further, the court would not recognize a “definitive federal law” that would find the phone call privileged. It was clear that the court struggled to come to a conclusion and the overwhelming pressures imposed by hearing a case regarding a terrorist threat ultimately made the decision even harder to reach. The court was willing to allow the release PHI due to a “particularized threat.” But the court beseeched the Supreme Court or the legislature to provide more guidance on releasing PHI.
Presently, OCR is alleging COVID-19 is a threat which therefore rationalizes suspending HIPAA regulations. However, with HIPAA’s overlapping roots with constitutional rights of privacy, is suspending HIPAA constitutional? Is COVID-19 a particularized threat to a third party which requires disclosure like in the Carrier case? Effects of releasing patient names during the COVID-19 crisis will undoubtedly ripple. If someone is known to have the virus, can they be fired? Can they be evicted? Will they be ostracized? When vaccines are available will they be required for all citizens? Will people have to wear proof that they have been vaccinated? Will employers prefer people who have had the virus and recovered because of the alleged immunity the individual will have? The aforementioned questions are the reasons why HIPAA was put in place. HIPAA was the needed amendment to the Constitution that prevented discrimination based on health status and provided true privacy regarding health.
The CARES Act
‘Coronavirus Aid, Relief, and Economic Security Act,’ (CARES Act) shows how ubiquitous releases of PHI will now be. H.R.748-116th Congress (2019-2020)54 Part of the act, Pandemic Unemployment Assistance (PUA) provides “benefits to covered individuals who are not eligible for regular Unemployment Compensation (UC)… because of any one of the following COVID-19-related reasons:
You have been diagnosed with or are experiencing symptoms of COVID-19 and are seeking a medical diagnosis;
A member of your household has been diagnosed with COVID-19;
You are providing care for a family member or a member of your household who has been diagnosed with COVID-19;
You are unable to reach your place of employment because you have been advised by a health care provider to self-isolate or quarantine because you are positive for or may have had exposure to someone who has or is suspected of having COVID-19;
You were scheduled to start a new job and do not have an existing job or are unable to reach the job as a direct result of the COVID-19 pandemic;
You have become the breadwinner/major supporter for a household because the head of your household has died as a direct result of COVID-19;
You had to quit your job due to being diagnosed with COVID-19 and being unable to perform your work duties;
Your place of employment is closed as a direct result of the COVID-19 pandemic.55
Aside from the eight mentioned disclosures through PUA, the CARES Act in totality has 68 benefits for people who know someone with a CDC verified positive COVID-19 test and filed an appropriate application for further allocation of government provided funds.56 All 68 of the aforementioned benefits in the CARES act provide incentives for individuals to report their own health status; however, that same incentive will now allow family members, employers, healthcare providers, and others who know the identity of an individual who tested positive for COVID-19 to capitalize on that individual’s health status.57 The CARES Act now creates a paper trail of someone’s health status that will follow them through their taxes, employment, and countless other areas of life. Especially taking into consideration that many of these benefits are intended to stay in effect for the next three taxable years.58
The atmosphere HIPAA wanted to prevent would include the new benefits of the CARES Act because the CARES Act is effectively trading money for PHI. Specifically, the incentives for employers to report an employee’s health status and how it affected the employer’s business is in direct contravention with the first element of HIPAA; which “was [enacted] to ensure that individuals would be able to maintain their health insurance between jobs.”59 Therefore, even if the CARES Act, like the OCR provisions, were made in good-faith, there are aspects of privacy that must be addressed to prevent regression to the pre-HIPAA era.
The government has numerous interests in providing these incentives through the CARES Act, notably; 1) maintaining a healthy economy; 2) protecting businesses and individuals whose income has been affected from the virus; and 3) tracking the extent of the virus on the population in the present and future. These interests are not to be belittled; however, even if HIPAA is suspended, “the Fourth Amendment provides…“[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated[;]””60 “the First Amendment prevents governments from interfering with the freedom to associate and privacy in one’s associations; the Third Amendment prevents the quartering of soldiers during peacetime; lastly, the Fifth Amendment… shows “the right of each individual to a private enclave where he may lead a private life.”61 These privacy rights prescribed by the Constitution and affirmed by the Courts, must be given great deference when considering the constitutionality of the CARES Act.
Lastly, the 16th Amendment of the Constitution provides, “The Congress shall have Power to lay and collect Taxes…but all Duties, Imposts and Excises shall be uniform throughout the United States.”62 (emphasis added). A final constitutional analysis must consider if the CARES Act is a uniform tax provision and therefore, compliant with the 16thAmendment.
Public health and government officials have acted quickly to ensure public safety during the COVID-19 pandemic; however, despite well-intentioned efforts, reconsideration of these provisions is warranted.
 Jacobson v. Massachusetts, 197 U.S. 11, 15 (1905).
 Id. at 13
 Id. at 14.
 Jacobson, 197 U.S.
 See generally Katz v. United States, 389 U.S. 347, (1967)
 United States v. Jones, 565 U.S. 400, 404 (2012).
 42 U.S.C. § 1301.
 The University of Chicago Medical Center, Biological Sciences Division, HIPAA Background (Oct. 23, 2006) (updated Feb. 2010) http://hipaa.bsd.uchicogo.edu/background.html.
 U.S. Dept. of Health and Human Services, Summary of the HIPAA Privacy Rule, https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/ind....
 29 U.S.C.A. § 1182 (West).
 Anonymous, Life Before HIPAA, Pyschcentral.com, (March, 2019) https://blogs.pyschcentral.com/older-bipolar/2019/03/life-before-hipaa/.
.S. Dept. of Health and Human Services, supra note 15.
 R.K. v. St. Mary's Med. Ctr., Inc., 229 W. Va. 712, 717 (2012).
 State ex rel. Proctor v. Messina, 320 S.W.3d 145, 150 (Mo. 2010), 42 U.S.C.A. §§ 1320d–2(d)(2)(A).
 45 C.F.R §§ 160, 164
 U.S. Dept. of Health and Human Services, Office for Civil Rights, BULLETIN: HIPAA Privacy and Novel Coronavirus (Feb. 2020) https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-co....
 U.S. Dept. of Health and Human Services, Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19, https://www.hhs.gov/sites/default/files/notification-enforcement-discret...
 See U.S. Dept. of Health and Human Services, supra note 15.
 See Compliancy Group, The HIPAA Minimum Necessary Standard, https://compliancy-group.com/the-hipaa-minimum-necessary-standard/.
 https://www.hhs.gov/hipaa/for-professionals/faq/207/how-are-covered-enti... minimum-necessary/index.html.
 Compliancy Group, supra note 27.
 U.S. Dept. of Health and Human Services, supra note 15.
 Tracey Tully, First Coronavirus Death in New Jersey: Yonkers Raceway Worker, The N.Y. Times, (Mar. 10, 2020) https://www.nytimes.com/2020/03/10/nyregion/coronavirus-death-nj.html.
 Thomas Fuller, How Much Should the Public Know About Who Has the Coronavirus?, The N.Y. Times (Mar. 28, 2020) https://www.nytimes.com/2020/03/28/us/coronavirus-data-privacy.html?acti...
 Fuller, supra note 35.
 Matt Hamilton, Autopsies reveal first confirmed U.S. coronavirus deaths occurred in California in February, The L.A. Times(Apr. 21, 2020), https://www.latimes.com/california/story/2020-04-21/autopsies-reveal-first-confirmed-u-s-coronavirus-deaths-occurred-in-bay-area-in-early-february.
 Fuller, supra note 35.
 U.S. Dept. of Health and Human Services, supra note 15..
 Fuller, supra note 35.
 Center for Disease Control and Prevention, Coronavirus Disease 2019, Reducing Stigma https://www.cdc.gov/coronavirus/2019-ncov/daily-life-coping/reducing-stigma.html.
 People v. Carrier, 309 Mich. App. 92, (2015).
 Id. at 93.
 Id. at 94–95.
 Id. at 93.
 Id. at 97
 R.K. v. St. Mary's Med. Ctr., Inc., at 717.
 CARES Act, H.R. 748, 116th Cong. https://www.congress.gov/116/bills/hr748/BILLS-116hr748enr.pdf.
 The University of Chicago Medical Center, Biological Sciences Division, HIPAA Background (Oct. 23, 2006) (updated Feb. 2010) http://hipaa.bsd.uchicogo.edu/background.html.
 Jones, at 404.
 The 16th Amendment, March 15, 1913; Ratified Amendments, 1795-1992; General Records of the United States Government; Record Group 11; National Archives.