Legislators: HHS is failing to adequately protect health records from law enforcement

Lawmakers are demanding the Department of Health and Human Services to bar law enforcement from accessing reproductive and other health records without a warrant.

The letter sent Tuesday by Sens. Ron Wyden (D-OR) and Patty Murray (D-WA), Rep. Sara Jacobs (D-CA) and others also urges HHS Secretary Xavier Becerra to broaden federal health regulations to require law enforcement to alert patients when records are disclosed and prevent investigators from sharing records with other agencies.

The legislators’ plea comes in the wake of HHS’s April release of a proposed update of federal privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA). Those rules would require law enforcement requests for some categories of protected health information (PHI) include a written certification promising it will only be used in specifically allowable ways.

However, the legislators say that those rules would not be the same as requiring a warrant. The HHS rules must be expanded to shield PHI as comprehensively as a person’s location data, phone calls, emails and text messages, the letter says.

“There are countless categories of medical records — including those related to treatment for reproductive health, mental health conditions, cancer, dementia, neurodegenerative diseases, urology, and hospice care — that Americans hold as deeply private,” the letter says. “But current legal protections for PHI are woefully insufficient.”

While doctors are allowed to refuse to testify about patients’ medical conditions in court, records containing the same information can be subpoenaed by law enforcement agencies. Probable cause of a crime is not required for such subpoenas, and there is currently no rule ensuring oversight by an independent judge.

“The ability of law enforcement agencies to subpoena these records undermines patients’ legal protections, particularly in an era of digital health records, where every patient interaction is carefully documented,” the letter says.

The letter observes that HHS’s April update of HIPAA regulations limits protections from warrantless access by law enforcement only to narrow categories of records.

“Americans expect their PHI to be at least as private as their email and text messages, phone calls and location data,” the letter says. “While federal and state courts around the country have recognized the importance of protecting Americans’ medical privacy, HHS’ regulations have lagged behind.”