United Healthcare v. HIPAA

A Convoluted Argument

With the overturn of Roe v. Wade, Justice Samuel Alito went on for pages and pages and pages in his written decision about abortion. It is going to create unbelievable amounts of pain and suffering for women and for the doctors who are attempting to care for them. However, the right on which Roe was decided, and Dobbs acted to disrupt, was a right to privacy.

This is not an article about abortion. It is an article about the right to privacy, and its discontents. I believe there is an opportunity created by the court’s “bull in a china shop” approach to jurisprudence. The overturn of Roe might be the legal precedent to reclaim privacy, both for women, and for all of us. This argument begins with Dobbs, takes a sharp turn at the Change Healthcare cyber attack, and ends up restoring our freedoms after arguing…and I can't believe I'm saying this…in favor of United Healthcare’s rights to get off scott free from a catastrophic HIPAA breach.

That is Doctor Junior Constitutional Law Scholar, to You!

A brief summary of my understanding, as a physician (and not a lawyer), of the legal rationale for a right to privacy in the first place:

There is a lot of focus, particularly in Samuel Alito’s Dobbs decision, on the due process clause of the 14th amendment. I’m gonna rewind us a little bit further, because I think it’s important to anchor this for general audiences—you know, the kind of general audiences who are really interested in the intricate details of constitutional law as interpreted by people who have no training in that field.

There was significant debate among the founding fathers about the necessity or lack thereof of having a bill of rights. They eventually, of course, chose to have one. The first 10 amendments enumerate (e.g. call out by name) specific rights that they wanted to make sure they wrote down in the constitution so that no one would miss them. But the 9th and 12th amendments to the constitution are, to me, the most important.

Article the ninth... The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people. (Emphasis mine).

Article the twelfth... The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people. (Again, emphasis mine).

Our founders were reasonably paranoid, and one of the reasons they didn’t want to write down enumerated rights had to do with not wanting anyone to assume any other rights didn’t exist if they weren’t enumerated. This is why we have a bill of rights not in the constitution itself. But the 9th and 12th amendment basically say that there are a bunch of other rights that the government doesn’t control at the federal level.

More rights exist and are presumed than were explicitly written down at the time of the crafting of this extraordinary document.

This is why, when the Supreme Court made the original Roe vs. Wade decision, it rested upon the interpretation of the constitution that took the due process clause of the 14th amendment and reasoned that this due process clause applied to the unenumerated-as-of-yet right to privacy. This, in turn, allowed them to decide that individual states could not pass laws that would abridge this right. Among these rights was the right to decide on medical care privately, explicitly abortion.

This thought process, no matter whether you’re a constitutional scholar or not, it is basically how “Supreme Court deciding” works. We have a basic scaffold which is both the constitution itself and the rights written down in it and it’s amendments, and the justices are essentially resolving “edge cases” iteratively. Their job isn’t really to say what is or is not a right, its to determine whether the question in front of them has to do with a right that is covered in the scope of the constitution. In the case of some right that is not covered by the constitution, that means throwing it in the bucket of things to be decided by the states, or (sadly, much less frequently) in the bucket of things to be decided by the people themselves. M.C. Hammer’s “You Can’t Touch This” has a similar unavoidable logic.

I’d Like to Enumerate the World a Coke

I have a really basic example which I hope makes this more clear: Let’s say I am really thirsty, and I’d like a Coke. Were I to be prevented from purchasing a Coca-Cola from a vending machine, I could, assuming I was extremely litigious, file a lawsuit.

Let’s say this vending machine is magic and there is no way in which it has any interaction with any interstate commerce. It is in the same state as Coke is manufactured. It is not hooked up to the internet or anything.

I have a right to have my thirst quenched. I know you don’t see the cool satisfaction of a Coke on a hot day in the constitution. There is no presumed legal review necessary to drink a Coke. Coca-Cola is not under the domain of due process. This is an example of a right enumerated to the states or to me as an individual by the 12th amendment.

Now, join me for an insane thought experiment: Imagine I have decided to become a public health zealot and pass a law that permits me to put to death any individual with an abrupt spike in blood sugar resulting from the drinking of a Coca-Cola. To make it even more punitive, any abrupt spike in blood sugar will be presumed to be due to the delicious and thirst quenching— but, regrettably, sugar-soaked—beverage. That spike in blood sugar will be evidence used to put an individual to death for the violation of the No Refreshing Coke Act of 2022. In the state of New York, you can bet that previous administrations would have gone to this length if only they were allowed. I’m looking at you, Bloomberg (j/k).

This sounds insane. But this is actually the situation we are now in with healthcare in America. No one wants to be put to death for getting their thirst quenched, or any other need for that matter. This brings us to the most misunderstood law in healthcare, which we presume has something to do with privacy, and we even more frequently misspell:

The Health Insurance Portability and Accountability Act

In 1996, HIPAA was passed as a federal law. It allowed for both the protections of personal health information and the disclosure of that same personal health information by covered entities. Importantly, this does not include everyone. This is really really really really really important. The following groups are considered covered entities under HIPAA, meaning that they have to comply with this federal law:

• Healthcare providers: Every healthcare provider, regardless of the size of their practice, who electronically transmits health information in connection with certain transactions. These transactions include:

• Claims:

  • Benefit eligibility inquiries.

  • Referral authorization requests.

  • Other transactions for which HHS has established standards under the HIPAA Transactions Rule.

You’re gonna notice something specific about the above. It applies to all healthcare providers who process transactions as enumerated. That is not all transactions. It’s just transactions that interface with traditional health insurance through benefit eligibility inquiries, authorization requests, and other HIPAA transactions. It doesn’t mean everybody, only the providers who handle those specific transactions.

Let’s say you have a medical practice and you take no insurance whatsoever, you never check benefits eligibility, and you only ever get paid in ways that are not specified. In that case, you would not be considered a HIPAA-covered entity.

This means that the entirety of the law, including the protections around specific health information and the requirements for others to be able to access that information do not apply to this practice. They do not apply to the patients that go to this practice. They do not apply to the health technology this practice uses. They do not apply to the medical records that this practice keeps. Now, in all practicality, there was almost no reason, previously, for anyone to engineer non-compliance solutions.

Until now…

Let’s dig a little bit deeper: The following are also considered covered entities:

• Health plans:
  Health plans include:

• Health, dental, vision, and prescription drug insurers.

  • Health maintenance organizations (HMOs).

  • Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers.

  • Long-term care insurers (excluding nursing home fixed-indemnity policies).

  • Employer-sponsored group health plans.

  • Government- and church-sponsored health plans.

  • Multi-employer health plans.

Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.

So, as we can see, the law enumerates what is considered a health plan. It also specifically excludes group health plans with fewer than 50 participants which are administered solely by employers. These specific types of plans are not covered entities. And therefore HIPAA does not apply.

Let’s figure out what the full scope of covered entities looks like:

• Healthcare clearinghouses: Entities—like Change Healthcare—that process nonstandard information they receive from another entity into standard information (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.

• Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include:

  • Claims processing.

  • Data analysis.

  • Utilization review.

  • Billing.

  • Most of the activities acquired by Change Healthcare

A careful reading of the above makes it clear that business associates covered by business associate agreements only have to comply with HIPAA if they’re performing services for a covered entity.

But why would we ever want to not comply with it? Isn’t privacy important? Of course it is. But here is the sneaky and shitty part of that law: It allows for the punishment of violations by individuals working with covered entities, but it also allows for the disclosure of information without the consent of the person in certain circumstances.

The law permits, but does not require, a covered entity to use and disclose private healthcare information (PHI), without an individual’s authorization, for the following purposes or situations:

• Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual).

• Treatment, payment, and healthcare operations.

• Opportunity to agree or object to the disclosure of PHI:

  • An entity can obtain informal permission by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object.

• Incident to an otherwise permitted use and disclosure.

• Limited dataset for research, public health, or healthcare operations.

• Public interest and benefit activities—the privacy rule permits use and disclosure of PHI, without an individual’s authorization or permission, for 12 national priority purposes:

1. When required by law.

2. Public health activities.

3. Victims of abuse or neglect or domestic violence.

4. Health oversight activities.

5. Judicial and administrative proceedings.

6. Law enforcement.

7. Functions (such as identification) concerning deceased persons.

8. Cadaveric organ, eye, or tissue donation.

9. Research, under certain conditions.

10. To prevent or lessen a serious threat to health or safety.

11. Essential government functions.

12. Workers’ compensation.

---

I want you to take a deep breath, and understand that what the above law allows? It is a massive government back door into our personal health information when they deem it necessary. So, any state can pass any law, in the absence of a federal right to privacy, in which they now have a government interest in law-enforcement. If there is no limit on the laws they can pass that invade our privacy, literally any law passed can allow the government to access our health information.

The absolutely infuriating thing? Although the government could use this law to enforce our right to privacy, there is no private ability—In legal jargon, a private right of action— to use this law to enforce our rights. HIPAA lets the government sue. Not citizens.

It also builds an easy back door into our privacy for government purposes. Remember— no warrant is required. The government just has to assert an essential function, or a law enforcement purpose, or a health oversight rationale, and they can get into our protected health information.

This Brings us to Change Healthcare.

Prior writing in the newsletter has outlined the massive scope of Change and its UHC parent company. It's a bank. It has your home address. It's a Pharmacy. It's a Pharmacy benefit manager. It's a pharmacy switch. It's a radiology imaging system. It's a claims verification system. It's every other system. It knows who we are, where we live, what illnesses we have, how much our doctors are being paid for them, how much we owe as a co-pay, what medications were prescribed, when we picked them up, and when we don't. Just imagine the amount of data—now accessible to cyber criminals— that was previously accessible to the government without a warrant.

If you wanted any of that information about American citizen that wasn't running through a healthcare system? You’d need a warrant.

There was at least some judicial oversight for any requested information under the Patriot Act. There is no judicial oversight necessary if authorities are using HIPAA. One of the reasons that I believe the Change acquisition was allowed to go through? It made it easier for government officials to get access to our personal information without having to get those pesky warrants.

I believe there is now an opportunity. The opportunity is to use the demolished federal right privacy—the basis of Dobbs—to challenge the validity of HIPAA at the federal level. The federal government has not used its authority to safeguard our privacy when it is violated by massive corporations like Change Healthcare. There will be no meaningful punishments brought to bear by the Department of Justice. It would bankrupt United Healthcare. That can't happen! They make a lot of donations to politicians.

However, one of the ways United could get out of having to pay anything for those HIPAA fines? Just challenge HIPAA. In the courts. If the challenge were based on the Dobbs decision? The Supreme Court will never do anything to undercut that. I believe HIPAA will be overturned. The federal back door into our private information will close with it.

I would love to see a private right of action. California’s laws already offer this, and other states could follow suit. Massive data breaches that leak our information are going to continue happening, and as citizens, I believe we should have right to enforce with the government is unwilling to enforce. We have a right to our privacy, it is an unenumerated right at the federal level, and we should fight for our rights at the state level. I will know that this includes a woman's right to have private medical care.

I believe this will allow for all of us to robustly defend our protected and very personal health information from Hackers and government busybodies alike.

The irony? United Healthcare defending its right to not pay a dime? It might be the one path to winning our right to privacy back.