The NSA, Protected Health Information, and HIPAA

September 16, 2013

The NSA has examined communication nationwide in a way that makes it logical to conclude that messages improperly accessed PHI and, therefore, violated HIPAA.

Reuters reports that a FISA ruling "that found some of the NSA's e-mail collection practices were unconstitutional because they scooped up tens of thousands of e-mails between Americans" and that it (the court) "concluded it had been badly misled [by the NSA and] ... ordered a temporary halt to the automated searches [of phone calls]." These actions appear to meet the definition of executive corruption.

People in power have an incentive to act. Inaction may find them accused of being "asleep at the switch." Even when the schemes they concoct have been the subject of vigorous debate they often produce unanticipated side-effects. The risk of the unanticipated is vastly increased when the discussion is covert and remains confined to a small group of insiders who do not want to find reasons against their pet project. This brings me to the NSA and HIPAA.

To refresh your memory, protected health information (PHI) is any information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history  and any such information that is disclosed during phone calls or by e-mail [various sources]. Phone calls and e-mails that contain or refer to PHI unavoidably also contain one or more of the 18 identifiers that must be treated with special care under HIPAA, some of which are:

• Names

• Geographical identifiers smaller than a state

• Dates (other than year) directly related to an individual

• Phone numbers

• E-mail addresses

• Health insurance beneficiary numbers

• Internet Protocol (IP) address numbers

• URLs

• Biometric identifiers, including fingerprints (iPhone 5S users beware)

• Full face photographic images and any comparable images

• Any other unique identifying number, characteristic, or code

We know the following from recent news coverage:

• The NSA has obtained copies of perhaps every e-mail and phone call made over an extended period.

• The NSA has sophisticated decryption capability that allows them to decrypt e-mail messages and the voice portion of phone calls if they so choose.

• The NSA has pressured the developers of encryption software to include "backdoors" and "trapdoors" to enable the NSA to easily decrypt supposedly secure messages. They have also acted to get watered-down security standards accepted by various standard-setting bodies.

• It seems doubtful that the NSA's actions were fully justified. "[I]n a letter sent last week to Attorney General Eric Holder, the author of the Patriot Act, Rep. James Sensenbrenner (R-Wis.), said, 'I am extremely disturbed by what appears to be an overbroad interpretation of the Act.'" 

• "The disclosure that the NSA agreed to provide raw intelligence data to a foreign country [Israel] contrasts with assurances from the Obama administration that there are rigorous safeguards to protect the privacy of US citizens caught in the dragnet," The Guardian reported.

We have all made phone calls to discuss a patient's diagnosis and treatment. Some of us have used e-mail (encrypted or otherwise) for the same purpose. The metadata of every phone call and e-mail includes one or more of the 18 identifiers.

While HIPAA spells out the circumstances under which government agencies are allowed to access PHI, most access must be preceded by a request. With a few "national security" exceptions (for which one must take an agency's word and which one may not openly question), HIPAA does not allow anyone except the patient's physician to have "carte blanche" to access the entire record (and even that may be subject to restrictions).

The NSA has the identifiers associated with every call and e-mail. Although one can only speculate, they may well have decrypted and examined the contents of those messages. If they did so on a "fishing expedition," each time they did it was a HIPAA violation.

There are three possible conclusions:

• The NSA did nothing wrong. This is unlikely in view of adverse court rulings. At a minimum there were technical violations of the law that might also be HIPAA violations.

• The NSA definitely violated HIPAA, but it is no big deal. If so, other similar "violations" are also no big deal. Perhaps HIPAA imposes requirements that are unnecessarily costly, that interfere with patient care and which should be eliminated.

• This is a big deal. The NSA should be fined and someone should go to jail for up to one year (the prescribed criminal penalty) for violating HIPAA "unknowingly or with reasonable cause."

Personally, I don't know if this is a big deal but I think it is. To be consistent, those who drafted and enforce HIPAA should think it is.

I do know that the NSA has seriously compromised the ability of every individual, business, and even the government itself, to maintain secure communications in the future. The presence of "backdoors" inherently weakens encryption algorithms and makes them vulnerable to penetration by our adversaries. In the name of protecting our safety and security, the NSA has actually made us less safe and less secure.

What do you think?