Information Laundering

[Dick Mills <dmills@albany.net>]

I drafted the following with the intent to submit it to HHS as a comment on
the proposed medical privacy rules. Before doing that, I thought I would
ask med-privacy list members to comment on the comment.

<snip>
The Summary says the following about so-called secondary disclosure, "The
HIPAA limits the application of our proposed rule to the covered entities.
It does not provide the authority for the rule to reach many entities that
receive health information from these covered entities, so the rule cannot
put in place appropriate restrictions on how such recipients of protected
health information may use and re-disclose such information."

My concern is that providing penalties for unauthorized disclosure but not
for secondary disclosure could lead to "information laundering." I'll explain.

Suppose that a covered entity illegally discloses information to a third
party, then the third party makes it public on the Internet. The covered
entity is criminally liable under the proposed rule but not third party or
the web site owner. Once published on the web, and perhaps linked to by the
NY Times, first amendment rights kick in.  That snapshot of information
could never be re-protected.  It would be irretrievably placed in the
public domain. Hence, information laundering is the appropriate term.

Perhaps the rule-makers haven't considered the fantastic power and capacity
of modern computer equipment. The man in Florida who pocketed a floppy disk
with the names of a few hundred HIV positive people was yesterday's crime.
Consider what can be done today. 

A 20 K dossier on each of 100 million citizens requires only 2 terabytes of
storage. There already are some digital media that will allow this volume
of data to be carried away in a briefcase. Within a few years, the cost and
physical size of data storage media with capacity of several terabytes will
be within the reach of ordinary home computer users. Data handling
standards, such as universal patient identifiers, online digital record
storage, and Open Data Base Connectivity, and high speed Internet backbones
makes large scale theft even easier and able to be accomplished from
equipment on a single desktop. 

It is, or soon will be, technically feasible for one person, acting alone,
to steal the medical records of the entire nation in a single criminal act.

Several years in prison, may be harsh enough to deter theft of 100 names on
a floppy disk, but no criminal penalty can be severe enough to deter such a
massive crime. At least, that's true if only the single covered entity
committing the original act is liable, and not the secondary parties to
whom he or she disclosed the data. Those who stand to profit from public
disclosure of the records might offer a bounty of up to $10 per patient as
a laundry fee. Therefore, the payoff for "taking the fall" could be
billions of dollars.

Insurance companies in particular could stand to gain countless billions of
dollars if all the secret preexisting conditions concealed by their
policyholders were to be made public.

Anticipating that the secondary disclosure loophole may be closed in a few
years, would-be criminals may scramble to do it as soon as possible. The
proposed rules may thus be creating a window of opportunity and
inadvertently encourage bold and immediate action by wrongdoers.

The only legal solution to information laundering that I can imagine is to
write the regulations to cover the information itself, rather than the
"covered entities". That way, no matter how many times and in how many ways
the information may be passed from party to party to party, it would still
be legally encumbered. In plain words, the information could not be
laundered. 

Perhaps the most relevant legal precedent is New York Times Co. v. United
States, 403 U.S. 942. The government argued that national security
information can not be laundered and remains encumbered even if the holder
in due course is the press, and thus prior restraint was warranted. The
court ruled that there can be exceptions to the first amendment prohibition
on prior restraint of free speech.
<snip>
-- 
Dick Mills            www.albany.net/~dmills        dmills@albany.net