« Coalition for Debtor Education | Main | It's All Up to You »

Healthcare Privacy and Bankruptcy

posted by Ted Janger & Susan Block-Lieb
Yesterday I (Ted) was invited to testify at an HHS advisory committee hearing on healthcare privacy.  My assigned topic was to describe the effect of bankruptcy on the privacy protection afforded medical information held by entities that are not covered by the HIPAA Privacy Rule
The hearing raised the problem of transfers of patient medical information in two contexts:
  1. B2B, when health care providers give patient information to other non-covered "Business Associates" for purposes such as billing or data analysis; and
  2. B2C, when patients either provide medical information to non-covered entities, or authorize their doctors to do so.  An example is the emerging concept of a portable electronic healthcare record.

The short answer used to be that confidentiality promises are contracts and that breach of contract claims end up getting paid in bankruptcy dollars.  The chair of the committee presumably knew that I would say this because I'd already said it once before in a slightly different context.  Edward J. Janger, Genetic Information, Privacy and Insolvency, 33 J. L. Med. & Ethics 79 (2005).

He probably didn't expect that he'd be giving me my first chance to think about the effect on my answer of the so-called Leahy Amendment, contained in BAPCPA. The Leahy Amendment amends section 363 and adds a new section 332 to the Code.  These provisions prohibit the sale of customer data in violation of a published privacy policy unless a "consumer privacy ombudsman" is appointed and the court approves the sale.

So, does the Leahy Amendment enhance the security and protection of your medical records?  Bottom line, a qualified "No."

In the B2B context, the answer is relatively easy, but troubling.  The Leahy Amendment only applies if a debtor has made a direct promise, in connection with a sale of goods or services, not to share personal information.  Since there is no direct relationship between you and your doctor's Business Associate, the Leahy Amendment simply doesn't apply.  Thus, if a Business Associate fails and breaches its contract with the HIPAA covered entity (your doctor) by selling or failing to protect your data, the sole protection is likely to be a contract or tort claim in the Business Associate's bankruptcy.  This is not just a problem under HIPAA.  A similar strategy of regulating outsourced data processing services through contract is used to protect financial privacy under the Gramm Leach Bliley Act. (for a more extended discussion see here).

In the B2C context, the Leahy Amendment applies, but does not do much good, because it relies entirely on consumers to contract effectively for privacy protection.  The Leahy Amendment was formulated in response to the Toysmart case, where a first generation dot.com sought to break a privacy promise by selling its customer lists in bankruptcy.  The Leahy Amendment solves that limited problem, but ignores the fact that most modern "privacy policies" are privacy policies in name only.  In most cases the privacy policy is merely a disclosure of the ways in which an entity will use and share your data.

Now, here's the qualification.  The other folks testifying during my session were proponents of various forms of online medical record data banks.  The idea, a good one in theory, is that a patient's medical history should be available in one central location so that doctors can have the benefit of a patient's full medical history, even if the services were provided years ago, in another city, and the patient has forgotten. Needless to say, the providers of these services promise the patients absolute control over their own information.  These facts look like Toysmart, and here, the Leahy Amendment would provide significant protection.

However, there are two reasons why I'm still dubious. 

  • First, the Leahy Amendment only applies in bankruptcy, so a data sale that occurred prior to bankruptcy would not receive any protection. 
  • Second, the problem with these online medical data banks runs to a deeper consumer contracting problem rather than a bankruptcy problem.  Even if consumers are given absolute control over their medical records, that control includes the power to give them away to people who ask for them (such as employers or insurers).

Here medical privacy begins to look a lot like consumer credit, and poses a question that is similar to the ones that Susan and I have been asking elsewhere.  To what extent do our concerns about consumer contracting that arise from problems of cognition, heuristic bias, time inconsistent preference, and plain old adhesion and inequality of bargaining power counsel limitations on consumer choice?


The comments to this entry are closed.


Current Guests

Follow Us On Twitter

Like Us on Facebook

  • Like Us on Facebook

    By "Liking" us on Facebook, you will receive excerpts of our posts in your Facebook news feed. (If you change your mind, you can undo it later.) Note that this is different than "Liking" our Facebook page, although a "Like" in either place will get you Credit Slips post on your Facebook news feed.



  • As a public service, the University of Illinois College of Law operates Bankr-L, an e-mail list on which bankruptcy professionals can exchange information. Bankr-L is administered by one of the Credit Slips bloggers, Professor Robert M. Lawless of the University of Illinois. Although Bankr-L is a free service, membership is limited only to persons with a professional connection to the bankruptcy field (e.g., lawyer, accountant, academic, judge). To request a subscription on Bankr-L, click here to visit the page for the list and then click on the link for "Subscribe." After completing the information there, please also send an e-mail to Professor Lawless ([email protected]) with a short description of your professional connection to bankruptcy. A link to a URL with a professional bio or other identifying information would be great.