News, Developments, and Insights

high-tech technology background with eyes on computer display

Virginia Tech Shooter

Marc Fisher, a Washington Post columnist, has a column in the Washington Post complaining about how privacy laws are getting in the way of the investigation into the background of the Virginia Tech Shooter. He writes:

But the Virginia state panel investigating the shootings has already done enough poking around to show that any effort at reform will run straight into a solid wall built out of federal privacy regulations. . . .

The state investigation has been unable so far to get hold of the records that would show how Seung-Hui Cho’s mental problems were dealt with by the university or the state.

Even though Cho is dead, his records remain under lock and key because of a federal privacy law that keeps medical records sealed…forever. In general, privacy rights expire when you do. That’s as it should be–what possible right to privacy can you have when you’re merely a memory?

When the feds were writing new privacy rules a few years ago, the government initially proposed to keep medical records confidential for two years after a person died. But the feds caved to privacy advocates who insisted that releasing such records could hurt living people, for example, if genetic information about the dead person were made public. . . .

The rules are now so wildly slanted toward keeping secrets that hospitals, doctors, mental health clinics, universities and others who deal with people like Cho can pretty much do whatever they want, without any effective public check on their handling of a case. Even after a mass murderer dies, it’s unnecessarily difficult to hold institutions accountable.

Fisher’s op-ed makes it sound as if the law absolutely bars the obtaining of the records. Fisher doesn’t mention any particular laws (he only links to an HHS comment about one rule under HIPAA, but not the rule regulating access to records) or even discuss the standards that the law requires. But if one were to actually look at the law, it becomes clear that Fisher’s gripe doesn’t really exist. Unless I’m missing something, state officials could simply get a court order or subpoena to obtain the records.

The law isn’t “wildly slanted” toward protecting privacy; nor does it erect a “solid wall” that prevents the investigation from getting the records. Nearly all privacy statutes allow government investigatory officials to obtain records with a mere court order or even a subpoena. The HIPAA regulations, for example, allow for the disclosure of health information pursuant to a court order or an “administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or a similar process authorized under law.” 45 C.F.R. 164.512(f). The Family Education Rights and Privacy Act (FERPA) allows officials to obtain school records with a mere “subpoena issued for a law enforcement purpose.” 20 U.S.C. 1232g (b)(1)(a)(J)(ii). Subpoenas are very easy to use. So what’s the big deal here?

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
LinkedIn Influencer blog

TeachPrivacy Ad Privacy Training Security Training 01