[pavon]

While all those are cases where LEO had legitimate reason to have access the information, none of them provide a compelling reason why a warrant couldn't be required.

The third-party doctrine has become far too broad. There are so many situations where people share information with a third party, but also expect and deserve a right to privacy regarding that information. The fact that HIPAA doesn't provide a reasonable expectation of privacy in information shared with your doctor/pharmacist is just absurd. The law does explicitly carve out these LEO exemptions, but reasonable expectation of privacy is a constitutional right, and those carve-outs should be deemed unconstitutional. And we should extend those lines with good privacy laws all around - any information that a company is required to protect under civil privacy laws should also be exempt from the third-party doctrine and require a warrant.

[jodacola]

It's not just with LEOs where patient privacy gets dodgy.

I've helped get a number of tech companies HIPAA compliant, so I've become very familiar with the workings and requirements of the act. My wife, a nurse, works in medical claim management. Lots of healthcare knowledge between us.

I've had some very interesting conversations with her because of a tool she's described being used by insurance companies: medical canvassing. It's an "interesting" tool used by investigators that doesn't technically request PHI, but can paint a picture of one's past medical care.

Basically, an investigator can ask a health care provider a bunch of yes/no questions - "did the patient receive care between $DATE1 and $DATE2?" "yes" "was the patient treated for $THING_RELEVANT_BUT_UNRELATED_TO_CLAIM?" "yes" "okay, thank you, that's all we needed." No "PHI" requested, none provided, but a picture still painted... and HIPAA allows for it.

I'm very curious to know what other interesting methods exist that allow for the circumvention of patient privacy.

[stackskipton]

>Basically, an investigator can ask a health care provider a bunch of yes/no questions - "did the patient receive care between $DATE1 and $DATE2?" "yes" "was the patient treated for $THING_RELEVANT_BUT_UNRELATED_TO_CLAIM?" "yes" "okay, thank you, that's all we needed." No "PHI" requested, none provided, but a picture still painted... and HIPAA allows for it.

How is that not PHI? You asked for treatment information and it was provided. Asking it roundabout way doesn't sidestep HIPAA.

[stevenicr]

I am aiming to help get companies HIPPA compliant and aware this next year, both changing tech stacks and educating. Would like to connect with any resources / checklists / firms / anything that could help me help others understand.

Contact in profile if willing to chat.

[levinb]

I won't belabor points I've made below, but I do want to agree with you about 3rd party doctrine in general; the modern world makes it almost impossible to live a normal life without non-consensually making your self available for full time monitoring by everyone within eyesight of you.

I think the point of this article is actually being elided over some by the conversation here though; it appears that these agencies are largely following the law. The question is, how broad should the reach of LE go given their legitimate authority?

In the current scenario, should a LEO from Idaho be allowed to see prescription records from a pharmacy in California? Should they have the right to get data from CVS about things that didn't happen in Idaho? Every prescription ever? Every doctors note?

The law as it stands allows states to determine the reproductive rights of their citizens and investigate violations thereof (note that I don't agree with the law, or the Supreme Court here). I think the question being raised by this letter is, what breadth of access should some Sheriff have over your medical records, and really, what the heck is even going on with this now?

The Dobbs case has opened up a new frontier of potential abuse, and I think the letter and article are appropriately exploring that frontier.