July 18, 2023

Wyden, Murray, Jacobs Lead Bicameral Effort Urging Biden Administration to Protect Reproductive and All Other Health Records Against Warrantless Law Enforcement Access

Lawmakers ask HHS to expand federal health regulations to require a warrant for law enforcement access to all medical records, prohibit sharing records with other law enforcement agencies, and require patient notification of record disclosure

Washington, D.C. – U.S. Senators Ron Wyden, D-Ore., and Patty Murray, D-Wash., and U.S. Representative Sara Jacobs, D-Calif., today led colleagues in urging the Biden administration to go further in its proposed update of federal privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA) and ensure that Americans’ protected health information (PHI) – for all categories of medical care – receive the same protections that emails and location data already receive.  

“Americans should be able to trust that the information they share in confidence with their doctors when seeking care will receive the highest protections under the law, regardless of the specific medical issue. But current legal protections for PHI are woefully insufficient,” the lawmakers wrote in a letter to Department of Health & Human Services (HHS) Secretary Xavier Beccera. “Although doctors cannot be forced to testify about their patients’ medical conditions in courts across the country, patient records containing the same information can be subpoenaed by law enforcement agencies, without showing probable cause of a crime and without oversight by an independent judge. The ability of law enforcement agencies to subpoena these records undermines patients’ legal protections, particularly in an era of digital health records, where every patient interaction is carefully documented. HHS should ensure that Americans’ PHI receive the greatest degree of protection under federal law.”

On April 12, 2023, the Department of Health & Human Services (HHS) issued a notice of proposed rulemaking to provide additional protections when law enforcement agencies demand Americans’ medical information from doctors and other healthcare providers. While the proposed rule makes important strides in protecting reproductive health data, it does not propose a warrant standard for access to medical records containing reproductive health data, and narrowly protects certain reproductive records while not expanding the legal protections for all other categories of sensitive health records.

In their letter, the lawmakers ask HHS to go further to protect Americans’ constitutional rights and personal privacy and significantly expand the protections in the HIPAA regulations, so that all PHI is afforded the same protections as location data and the contents of phone calls, emails and text messages, including by:

  • Requiring that law enforcement agencies obtain a warrant before forcing doctors, pharmacists, and other health care providers to turn over their patients’ PHI. This change would align federal health privacy regulations with the protections for Americans’ medical records under the Fourth Amendment and is consistent with the protections afforded to other sensitive data under federal law and the Fourth Amendment. For example, law enforcement agencies need a warrant to wiretap someone’s phone calls, obtain their emails and text messages, or track their phone’s location.
  • Requiring that warrants for PHI prohibit sharing those records with other law enforcement agencies, except to further the particular investigation identified in the relevant warrant application.
  • Requiring that patients be notified when their PHI is disclosed to law enforcement agencies. Such a change in practice would be consistent with Congressionally-enacted notice requirements for wiretaps and bank subpoenas.

“Americans expect their PHI to be at least as private as their email and text messages, phone calls and location data. While federal and state courts around the country have recognized the importance of protecting Americans’ medical privacy, HHS’ regulations have lagged behind,” the lawmakers wrote. “HHS should update the HIPAA regulations to meaningfully protect the privacy of Americans’ PHI by requiring a warrant for disclosures to law enforcement agencies. Instead of limiting this higher standard to narrow categories of records, HHS should apply this protection across the board, regardless of the illness, disease, or medical issue.”

In the Senate, the letter is signed by U.S. Senators Tammy Baldwin, D-Wisc., Cory Booker, D-N.J., Sherrod Brown, D-Ohio, Maria Cantwell, D-Wash., Tammy Duckworth, D-Ill., John Fetterman, D-Penn., Kirsten Gillibrand, D-N.Y., Martin Heinrich, D-N.M., Mazie Hirono, D-Hawaii, Ed Markey, D-Mass., Alex Padilla, D-Calif., Bernie Sanders, I-Vt., Debbie Stabenow, D-Mich., Chris Van Hollen, D-Md., Raphael Warnock, D-Ga., Elizabeth Warren, D-Mass. and Peter Welch, D-Vt..

In the House, the letter is signed by U.S. Representatives Becca Balint, D-Vt., Earl Blumenauer, D-Ore., Suzanne Bonamici, D-Ore., Jasmine Crockett, D-Texas, Madeleine Dean, D-Penn., Veronica Escobar, D-Texas, Anna Eshoo, D-Calif., Josh Gottehimer, D-N.J., Raúl Grijalva, D-Ariz., Val Hoyle, D-Ore., Pramila Jayapal, D-Wash., Hank Johnson, D-Ga., Ro Khanna, D-Calif., Barbara Lee, D-Calif., Ted Lieu, D-Calif., Zoe Lofgren, D-Calif., Jim McGovern, D-Mass., Eleanor Holmes Norton, D-D.C., Ilhan Omar, D-Minn., Delia Ramirez, D-Ill., Andrea Salinas, D-Ore., Adam Schiff, D-Calif., Mikie Sherrill, D-N.J., Rashida Tlaib, D-Mich., David Trone, D-Md., Nydia Velazquez, D-N.Y., and Nikema Williams, D-Ga.

The full text of the letter is below. A signed copy can be found here.

Dear Secretary Becerra:

We write in response to the Department of Health & Human Services (HHS)’s proposed update of federal privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA). We urge HHS to go further and ensure that Americans’ protected health information (PHI) — for all categories of medical care — receive the same protections that emails and location data already receive. These changes are necessary in order to protect Americans from warrantless government surveillance.

On April 12, 2023, HHS issued a notice of proposed rulemaking to provide additional protections when law enforcement agencies demand Americans’ medical information from doctors and other healthcare providers. The proposed rule requires that law enforcement demands for certain categories of PHI include a written certification promising that the information would not be used in particular ways. But HHS must go further to protect Americans’ constitutional rights and personal privacy. HHS should significantly expand the protections in the HIPAA regulations so that all PHI is afforded the same protections as location data and the contents of phone calls, emails and text messages.

There are countless categories of medical records — including those related to treatment for reproductive health, mental health conditions, cancer, dementia, neurodegenerative diseases, urology, and hospice care — that Americans hold as deeply private. Americans should be able to trust that the information they share in confidence with their doctors when seeking care will receive the highest protections under the law, regardless of the specific medical issue. But current legal protections for PHI are woefully insufficient. Although doctors cannot be forced to testify about their patients’ medical conditions in courts across the country, patient records containing the same information can be subpoenaed by law enforcement agencies, without showing probable cause of a crime and without oversight by an independent judge. The ability of law enforcement agencies to subpoena these records undermines patients’ legal protections, particularly in an era of digital health records, where every patient interaction is carefully documented.

HHS should ensure that Americans’ PHI receive the greatest degree of protection under federal law:

First, HHS should require that law enforcement agencies obtain a warrant before forcing doctors, pharmacists, and other health care providers to turn over their patients’ PHI. Specifically, HHS should modify section 164.512(f)(1)(ii) of the HIPAA Privacy Rule, which currently permits law enforcement agencies to obtain PHI with a subpoena, administrative request, or a court order. This provision should instead permit healthcare providers and other regulated entities to disclose PHI to a law enforcement agency only when that agency obtains a search warrant, issued by a judge upon a finding of probable cause. HHS should also clarify that section 164.512(e) — which permits the disclosure of PHI in administrative or judicial proceedings with a subpoena, combined with notice or a protective order — cannot be used by law enforcement agencies as an end-run around a warrant requirement. This change would align federal health privacy regulations with the protections for Americans’ medical records under the Fourth Amendment. As the Courts of Appeals for the 2nd, 3rd, 4th, 7th, 9th, and 10th Circuits and state courts in Georgia, Louisiana, Ohio, Pennsylvania, and Montana have recognized, Americans have a reasonable expectation of privacy in their medical records.

Requiring a warrant for PHI is consistent with the protections afforded to other sensitive data under federal law and the Fourth Amendment to the Constitution. Law enforcement agencies need a warrant to wiretap someone’s phone calls, obtain their emails and text messages, or track their phone’s location. Americans have just as much of a reasonable expectation of privacy in their PHI as they do in the contents of their communications or their movements.  

Second, HHS should require that warrants for PHI prohibit sharing those records with other law enforcement agencies, except to further the particular investigation identified in the warrant application. PHI remains sensitive even when it is disclosed to a law enforcement agency pursuant to a warrant. Such records should not be shared with other agencies for other purposes, or shared via Fusion Centers or other government surveillance data clearinghouses.

Finally, HHS should require that patients be notified when their PHI is disclosed to law enforcement agencies. HHS already requires that health providers give patients who request it a list of all prior disclosures of their health records to third parties, including law enforcement disclosures. But very few patients routinely request such information. HHS should require providers to proactively notify patients about law enforcement disclosures, either at the time of the disclosure, or on a delayed basis if prompt notice would disrupt an active investigation. Such a change in practices would be consistent with Congressionally-enacted notice requirements for wiretaps and bank subpoenas.

We commend the work that the Administration has recently done to strengthen the HHS Office of Civil Rights (OCR), which is responsible for protecting the privacy and security of PHI in America. We acknowledge the massive increase in complaints OCR has received over the last decade, and believe Congress should provide greater investment in OCR to ensure the Office has the bandwidth to process and respond to HIPAA data breaches, while also taking on oversight of the new standards outlined in this letter. 

Americans expect their PHI to be at least as private as their email and text messages, phone calls and location data. While federal and state courts around the country have recognized the importance of protecting Americans’ medical privacy, HHS’ regulations have lagged behind. HHS should update the HIPAA regulations to meaningfully protect the privacy of Americans’ PHI by requiring a warrant for disclosures to law enforcement agencies. Instead of limiting this higher standard to narrow categories of records, HHS should apply this protection across the board, regardless of the illness, disease, or medical issue.

Thank you for your attention to this important matter.

###

Press Contact: Nicole L'Esperance / Keith Chu (Wyden)