DOJ Misleads Court About Medical And Financial Records In Appeals Over NSA Surveillance
from the because-that's-what-the-DOJ-does dept
Earlier this week, the Ninth Circuit heard oral arguments in a challenge to the NSA's phone metadata program. While watching, I noticed some quite misleading legal claims by the government's counsel. I then reviewed last month's oral arguments in the D.C. Circuit, and I spotted a similar assertion.
In both cases, the government attorney waved away constitutional concerns about medical and financial records. Congress, he suggested, has already stepped in to protect those files.
With respect to ordinary law enforcement investigations, that's only slightly true. And with respect to national security investigations, that's really not right.
Medical Records
During Smith, the Ninth Circuit case, there was an extended line of questioning about various sorts of business records. Judge Hawkins kicked it off:
Suppose the National Security Agency wanted access to all utility records. Nationwide. Would that rationale apply?
Subsequent discussion touched on hotel and financial records. Then Judge McKeown asked:
What about medical records?
The Department of Justice attorney responded:
Well medical records, Judge McKeown I'm so glad you asked that because this is really an important point, medical records would be subject to HIPAA, among other protections.
A similar question in Klayman, the D.C. Circuit case, drew a similar response.
HIPAA, in your example Judge Brown, would govern the restrictions, would impose restrictions on the proper use of medical information.
Later in the Smith argument, counsel reemphasized the importance of HIPAA, including:
But I think the significance of HIPAA can't be discounted.
By way of background, the Health Insurance Portability and Accountability Act is the primary federal law that addresses health records. Under HIPAA, the Department of Health and Human Services is empowered to promulgate detailed privacy rules.
Here's the catch: the HIPAA privacy rules have special exceptions for law enforcement and national security investigations.
The law enforcement provision is very broad. It covers all the usual police procedures, including subpoenas. Those don't require a judge's advance permission, and they also require much less basis than probable cause.
The national security exception is, of course, even more pertinent to the Smith and Klayman cases. And it's even broader.
A covered entity may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g., Executive Order 12333).
In non-legalese: HIPAA just doesn't apply to the NSA.1 And yet, in two separate NSA appeals, the government has emphasized HIPAA.2
Financial Records
In the Smith argument, government counsel twice noted that Congress has enacted privacy protections for financial records.
Following Miller, Congress enacted the financial privacy protections by statute.
In response to Miller, that Congress enacted a bank records protection of privacy . . .
Similarly, in Klayman:
For example, following the Miller case, Congress passed a statute governing the secrecy of bank records.
As background, United States v. Miller held that routine financial records are not protected by the Fourth Amendment. Two years later, Congress passed the Right to Financial Privacy Act… which largely codified Miller. Law enforcement agencies can still access financial records with just a subpoena.3
What's more, RFPA includes a special set of national security procedures. Federal grand jury subpoenas and warrants aren't covered by RFPA, so long as the investigating agency self-certifies “there may result a danger to the national security of the United States.”
RFPA also includes a National Security Letter provision. In counter-intelligence and counter-terrorism investigations, the FBI (and, by proxy, the NSA) doesn't even need a grand jury subpoena. It can demand financial records with a mere self-certification.
So, once again: in a national security appeal, why emphasize privacy protections that don't extend to national security investigations?
Section 215 of the USA PATRIOT Act
The precise statutory provision at issue in Smith and Klayman is Section 215 of the USA PATRIOT Act. It allows FBI (and NSA) access to any business records when conducting a counter-intelligence or counter-terrorism investigation.4 A FISA judge's approval is required, though the standard for issuance is very low.
Section 215 covers medical records. A part of the statute, in fact, expressly addresses them.
Section 215 also covers financial records. In a 2010 opinion, the FISA Court held as much. And, in fact, the CIA operates a bulk financial surveillance program under Section 215.
In sum: not only are national security investigations generally outside HIPAA and RFPA, but the very same authority at issue in Smith and Klayman allows access to medical and financial records.
Concluding Thoughts
Reasonable minds can disagree on whether the government's representations in Smith and Klayman were literally false. At minimum, they were highly misleading.
United States privacy law is notoriously convoluted. But this much is certain: medical and financial records are, by statute and rule, readily available to the intelligence community. The executive branch shouldn't even hint otherwise.
Thanks to the colleagues who provided feedback on the legal analysis in this post. All views are solely my own.
1. In most instances of domestic surveillance, NSA requests are passed through the FBI. Since the National Security Act designates the FBI as a member of the intelligence community, its national security investigations are also unregulated by HIPAA.
2. In a charitable interpretation, the attorney misspoke while attempting to note that Congress can craft more nuanced privacy rules than the courts, and that Congress can provide privacy protections beyond the Fourth Amendment. Those points are undoubtedly true, though undoubtedly known to the judges.
3. A plain reading of RFPA suggests some privacy protection: targets receive advance notice of a subpoena and have an opportunity to contest the subpoena. In everyday practice, however, RFPA's delayed notice provisions have swallowed the rule. Law enforcement agencies routinely obtain court orders that both eliminate the advance notice requirement and temporarily gag financial institutions from disclosure.
4. Where U.S. persons aren't involved, any foreign intelligence purpose is sufficient.
Reposted from Web Policy
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, bank records, doj, hipaa, klayman, nsa, patriot act, privacy, rfpa, section 215, smith, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
Hmm...
[ link to this | view in chronology ]
the ridiculous thing is, people go to court to have disputes etc settled and they expect that lawyers to tell the truth, especially when they are lawyers from the United States of America Department of Justice. the last thing expected is for lies and mistruths to be used and/or spread. getting a win may well be extremely important, but it should not be as important as having the truth out for examination!
[ link to this | view in chronology ]
Need to know [was Re: ]
Aren't those who need to know ——aren't they the people of the United States of America?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
This is why the one with the most money usually wins... the Game of Courts... sans the boobs... well not in all cases.
[ link to this | view in chronology ]
Posner on 4th amendment
http://apps.law.georgetown.edu/webcasts/eventDetail.cfm?eventID=2532
Cybercrime 2020
The Future of Online Crime and Investigations
Co-sponsored by Georgetown Law and the
Criminal Division of the U.S. Department of Justice
December 4, 2014
[ link to this | view in chronology ]
Why are we surprised?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]