On the day after Christmas 2007, U.S. Sen. Jim Webb (D-Va.), traveled to the Capitol, where he presided over a near-empty Senate chamber. Webb, a retired Marine Corps veteran of the Vietnam War and a former secretary of the Navy, opened the session and then, just seconds later, gaveled it to a close.
The main aim of this and the other pro-forma sessions held by Senate Democrats over what otherwise would have been a traditional congressional holiday break was to thwart any attempt by President George W. Bush to make a recess appointment of one man, Steven Bradbury, to the powerful position of assistant attorney general.
To view Joseph Conn's entire package on terrorist surveillance and electronic medical records, read "
EMRs could be fair game in war on terror," "A controversial lawyer, HIPAA and the privacy debate," "The tortuous path of the HIPAA privacy provision," "Potential exists for snooping in EHRs, experts say," "Government sets sights on health IT for surveillance," and listen to a podcast interview with Twila Brase, Possible EMR, national security interest links."
Since 2005, working under various temporary titles, Bradbury has served the Justice Department as head of its obscure but highly influential Office of Legal Counsel. His elevation to assistant attorney general, if the appointment had ever been confirmed by the Senate, would have given Bradbury the rank that his predecessor, Jack Goldsmith, held when he had the job as the head of the OLC from October 2003 through June 2004. But Bradbury’s nomination has been held blocked three times in the Senate since 2005, most recently in January 2007. Early this year, Bush held up the nominations of more than 80 appointments in an attempt to embarrass Democrats and leverage the Senate into confirming Bradbury, according to published reports and Senate testimony by Majority Leader Harry Reid, (D-Nev.). It didn’t work.
Bradbury’s legal opinions at OLC have had a controversial impact on both national security information-gathering and electronic healthcare information privacy. In an October 2007 letter to the president, Sens. Richard Durbin (D-Ill.), Russ Feingold (D-Wis.) and Edward Kennedy (D-Mass.) asked Bush to withdraw Bradbury’s nomination, citing “reports regarding Mr. Bradbury’s involvement in approving the legality of abusive interrogation techniques” and “serious unresolved questions” about Bradbury’s role in the domestic surveillance program.
Not the first flap
It is, by no means, the first privacy flap involving Bradbury, a former clerk to U.S. Supreme Court Justice Clarence Thomas and a partner with the law firm of Kirkland & Ellis, where he once represented telecommunications giants Bell Telephone Co. and GTE Corp.
In 2005, Bradbury wrote a controversial OLC opinion that severely restricted the scope of the criminal penalty provisions of the Health Insurance Portability and Accountability Act of 1996. By doing so, Bradbury encumbered federal prosecutors seeking to jail HIPAA privacy violators who are not “covered entities.” As defined in the law, those entities are providers, payers and claims clearinghouses.
OLC opinions are not mere informational guidelines that prosecutors can take or leave. Unless overruled by the president, they bind all executive branch officials, including the 93 U.S. attorneys.
In his 256-page book, The Terror Presidency, Goldsmith writes about his tenure as the head of the Office of Legal Counsel. He describes the office’s opinions as, in essence, legal dispensations. Goldsmith details how he developed legal opinions that not only guided national security agents pressured to “take risks” to combat terrorism but also provided legal cover for top government officials making policy decisions on such weighty issues as denying habeas corpus rights to “enemy combatants,” the treatment of prisoners under the Geneva Conventions and the permissibility of “aggressive” interrogation techniques.
The book also touches, gingerly, on the government’s controversial domestic surveillance program.
Goldsmith, like his OLC successor Bradbury, wrestled with fundamental questions about electronic communications and records privacy as the Bush administration and Congress began overlapping domestic law-enforcement organizations, particularly drug enforcement, and the various intelligence agencies and their foreign and domestic surveillance programs.
By January 2004, according to his book, Goldsmith was “trying to find a way to put an important counterterrorism initiative on a proper legal footing,” deciding, ultimately, that he “could not support the initiative’s legality.” Goldsmith writes that his refusal to reauthorize this program led to a confrontation with David Addington, then the top legal adviser to Vice President Dick Cheney, and an icy warning. “If you rule that way, the blood of the hundred thousand people who die in the next attack will be on your hands,” Addington said, according to Goldsmith’s retelling.
It was, Goldsmith writes, the most difficult decision of his term at OLC. But that decision—not to recertify the legality of Bush’s surveillance program—was accepted by then-Deputy Attorney General James Comey, who in turn persuaded then-Attorney General John Ashcroft to support Goldsmith’s judgment. Then, suddenly, Ashcroft was hospitalized for emergency gall bladder surgery and appointed Comey acting as attorney general.
A trip to the hospital
That set the stage for an extraordinary scene. On the night of March 10, 2004, the day before Ashcroft’s previous certification of legality of the surveillance program expired, Comey, Goldsmith and FBI Director Robert Mueller raced by car to Ashcroft’s bedside at George Washington Hospital. Their aim was to head off then-White House Counsel Alberto Gonzales and Chief of Staff Andrew Card before word got to Ashcroft, who reportedly was sedated and in intensive care.
On May 15, 2007, Comey told members of the Senate Judiciary Committee he’d been tipped off by Ashcroft’s chief of staff, David Ayers, who’d received a phone call from Ashcroft’s wife, who in turn had received a call “from the president himself,” according to Comey’s recollection, and that Gonzales and Card had been dispatched and were on their way to the ailing Ashcroft’s hospital room. Comey said he called Goldsmith and Mueller for backup because he was worried the two Bush officials would attempt to persuade the critically ill Ashcroft to reverse Goldsmith’s and Comey’s decision and recertify the counterterrorism initiative as legal under U.S. law.
Goldsmith was cagey about identifying the program in his book. Comey, similarly, would not disclose the nature of the program in his Senate Judiciary Committee testimony. And Gonzales, under questioning from Sen. Charles Schumer (D-N.Y.), testified before the same Senate committee on July 24, 2007, that he was dispatched “on behalf of the president” to deal with “one of the president’s premier programs.” But Mueller, in a July 26, 2007 hearing before the House Judiciary Committee, confirmed that what everyone was hedging around about was the reauthorization of the Bush administration’s wiretapping program, “an NSA program that has been much discussed.” Reporter Barton Gellman’s account of the showdown at Ashcroft’s bedside was reported this September in the Washington Post.
In January 2004, while Goldsmith was wrestling with the wiretapping program, he received a written request from Paul Murphy, a fellow Justice Department lawyer, asking Goldsmith to prepare an Office of Legal Counsel opinion on the scope of the criminal penalty provisions of HIPAA.
Goldsmith apparently received at least three follow-up letters about HIPAA enforcement while he headed the office, the last coming in May 2004, the month before he left OLC, according to footnotes in the final opinion issued by Bradbury. It took 18 months after Murphy’s initial request to Goldsmith for an opinion on HIPAA to be produced.
In response to several telephone and e-mail requests for an interview, Goldsmith, now a member of the faculty at Harvard Law School, responded by e-mail about Murphy’s request, saying “I remember literally nothing about it,” but added, “even if I did, I could not talk about it.”
The Justice Department also denied a request from Modern Healthcare for copies of the 11 items of correspondence mentioned in the footnotes, documents Bradbury said in the opinion that he considered in reaching his final opinion.
One of those documents was a memo from John McKay, the U.S. attorney in Seattle whose office convicted Richard Gibson in the first criminal HIPAA prosecution in history. Gibson was a Seattle healthcare worker who pleaded guilty to using the healthcare records of cancer patient Eric Drew to steal his identity and go on a credit card shopping spree. McKay was given the U.S. Navy’s highest civilian honor, the Distinguished Public Service Award, for his work developing the Law Enforcement Information Exchange, a computer network for sharing information between federal, state and local law enforcement agencies. The exchange was funded by the Navy and developed through the Navy Criminal Investigative Service. But McKay was also one of eight federal prosecutors forced out by the Bush administration, a move that launched an ongoing congressional investigation to determine whether the firings were politically motivated or illegal.
In denying the document request for McKay’s and others’ correspondence with the Office of Legal Counsel regarding the scope of HIPAA’s criminal provisions, Justice Department spokesman Erik Ablin said that the correspondence was “protected by attorney-client and deliberative-process privilege.”
Requests for comment from Bradbury had not been returned by deadline.
In his book, Goldsmith stressed the tremendous reach of the Office of Legal Counsel’s opinions.
“If OLC interprets a law to allow a proposed action, then the Justice Department won’t prosecute those who rely on the OLC ruling,” Goldsmith wrote. “Even independent counsels would have trouble going after someone who reasonably relied on one. … One consequence of OLC’s authority to interpret the law is the power to bestow on government officials what is effectively an advance pardon for actions taken at the edges of vague criminal laws. … It is one of the most momentous and dangerous powers in the government: the power to dispense get-out-of-jail-free cards.”
When it came to national security issues, Goldsmith wrote in his book, it was his job to interpret the law in light of government policies and to issue OLC opinions “to make sure the president could act right up to the chalk line of legality.” The president, Goldsmith wrote, “Had to do what he had to do to protect the country. And the lawyers had to find some way to make what he did legal.”
And yet, when he arrived at OLC, Goldsmith wrote that he reviewed a number of then-current OLC opinions that were “deeply flawed, sloppily reasoned, overbroad and incautious in asserting extraordinary constitutional authority on behalf of the president.”
Bradbury, in his 14-page HIPAA opinion dated June 1, 2005, told federal prosecutors—and current or would-be privacy violators, including, presumably, government officials—that, generally speaking, only covered entities, not their employees or other third parties who obtain and misuse patient information, could be criminally charged with HIPAA privacy violations. The statute said a HIPAA privacy violator is “A person who knowingly ... uses or causes to be used” protected healthcare information in contrary to the law. It calls for the stiffest fines and sentences of up to $250,000 and 10 years in prison for the most egregious privacy violators, those “with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm.” Since most covered entities are corporations, the Bradbury ruling seemed to make moot the penalty of incarceration, according to a legal expert critical of the opinion.
“We all know that hospitals and health insurance companies don’t go to jail,” wrote Peter Swire, a lawyer, Ohio State University law professor and former Clinton administration HIPAA adviser, in a written rebuttal to the Bradbury opinion published online by the Center for American Progress. “The common sense of the statute is that Congress intended individuals who violated the HIPAA rules to go to jail.”
Swire, who served a stint as chief counselor for privacy in Clinton’s Office of Management and Budget, called Bradbury’s interpretation of the HIPAA statute “absurd,” adding that it was at once both “bad law and bad policy.”
These two events—Bradbury’s alleged involvement in the domestic surveillance program and his writing an OLC opinion exempting those who improperly “used or caused to be used” healthcare data but who are not covered entities—may well be just a strange coincidence.
Paul Murphy was the associate deputy attorney general at the Justice Department when he wrote Goldsmith in mid-January 2004 first asking for the OLC opinion on the scope of the criminal penalty provisions of HIPAA. Murphy said that during his tenure at the Justice Department, he had a varied portfolio of work, which included healthcare fraud, criminal and civil matters as well as HIPAA. Murphy said he also served as chief of staff for three deputy attorneys general, the last being Comey, before Murphy left Washington in late January 2004 to become the U.S. attorney in Savannah, Ga.
Murphy is now a partner with the Atlanta law firm of King & Spalding.
The compliance deadline for the HIPAA privacy rule and the trigger date for its criminal penalty provision, was April 14, 2003. Thus, by the time Murphy had written to Goldsmith asking for his opinion about the scope of HIPAA’s criminal penalties, the nation’s key healthcare privacy law already had been in full force for nine months. By the time Bradbury answered with an OLC opinion, the criminal law had been in effect for more than two years. Meanwhile, Gibson and another HIPAA violator in New York had been prosecuted under the initial interpretation that the criminal provisions of HIPAA applied to everyone, whether they were a covered entity or not. Those two would be the last, however. All subsequent federal prosecutions citing HIPAA criminal privacy violations—and there have been only a handful since—have used a legal theory that requires bootstrapping HIPAA onto another criminal statute.
Murphy said that his request to the OLC wasn’t the result of any pending criminal case.
“It was driven by a desire to make sure the parameters of the statute were clear to everybody, prosecutors and providers alike,” Murphy said. “It was a reasonably new statute and there was some concern in the provider community. There was a lot of hand-wringing.”
But Murphy said he does not remember the specific providers that expressed concern and asked for the clarification. “A lot of this was so long ago, that all the details, I can’t recall.”
Asked if the law’s effects on electronic surveillance or data-mining, either by the government or private entities, may have been at issue, Murphy said, “I don’t recall anything like that. I had no discussion and I don’t know of any discussions with any telecom companies or any data miners. That was not the genesis of this. The real genesis of this was to make certain that prosecutors and the provider community knew what the parameters of this statute were.”
Was Bradbury’s legal opinion on HIPAA a get-out-of-jail-free card for data miners, and by extension, the government itself?
Barry Steinhardt, a lawyer who heads the technology and liberty program for the American Civil Liberties Union, said HIPAA provides no private right of action that would allow patients whose records have been improperly viewed or used by a data handler or data-miner to sue for civil damages. But, he said, “There are criminal penalties in HIPAA only a federal prosecutor can pursue. If I were the telecoms, I would be concerned about rogue prosecutors bringing prosecutions under HIPAA. They have reason to worry.”
Bradbury’s opinion was all the more unusual because it carried the potential to jeopardize the two HIPAA criminal prosecutions already in the can, both of which could have been appealed, citing the Bradbury memo.
Susan Loitz, the federal prosecutor on the Gibson case, recalled the victim, Eric Drew, initiated contact by calling and first speaking with a colleague. Loitz said she promptly returned Drew’s call and began her work. Based on a contemporaneous e-mail in her records, she said March 8, 2004, “was probably the day that I called him.” That was nearly two months after Murphy wrote Goldsmith on Jan. 14, 2004, first requesting an OLC review of the HIPAA criminal penalty provision, timing that would support Murphy’s recollection that the request was not driven by a pending criminal case.
But according to Loitz, there was no confusion in her mind, in her office, or in the Justice Department in Washington, about the HIPAA criminal provision or whether it applied to Gibson, even though it was the first prosecution under the then 16-month-old law.
Under a plea agreement, Gibson admitted to using Drew’s name, date of birth and other personal information to fraudulently obtain several credit cards and go on a $9,000 shopping spree. On Nov. 5, 2004, seven months before Bradbury issued his HIPAA opinion, Gibson was sentenced to 16 months in prison. Because Gibson had been prosecuted on other criminal charges as well as a HIPAA violation, he did not challenge his HIPAA conviction after the Bradbury opinion was released.
Loitz said that she did not contact the OLC for an opinion about the scope of HIPAA, and it would have been extraordinary for her to do so. “The Office of Legal Counsel is used when there are differences in point of view on how to handle something. At that time, I didn’t know there was anything going on with the respect to this issue at the" OLC.
But the decision to prosecute Gibson for a criminal HIPAA violation was made in Seattle, not Washington, she said. Thus, armed with charges reviewed in Washington, Loitz forged ahead with the Gibson prosecution, unaware of any high-level interest in HIPAA from Murphy or anyone else.
“No one let me know there was any controversy on this issue,” she said.
The Criminal Division in Washington would write the OLC on May 27, 2004, giving its position on the scope of the criminal HIPAA statute, as would Loitz’s boss, McKay, on March 17, 2005. Both opinions were part of the documents about the Bradbury opinion requested by Modern Healthcare but denied by the Justice Department. McKay is teaching at the University of Seattle School of Law. He did not respond to several requests to be interviewed for this story.
The Bradbury opinion on HIPAA touched off a brief but spirited battle of ideas within the legal community. In a caustic analysis published soon after Bradbury made the change known to the public, Swire argued that Bradbury had hobbled federal prosecutors, making it harder for them to charge and jail someone like Gibson with a HIPAA violation, since Gibson was not a “covered entity.”
Swire’s article prompted a quick response, published in a Justice Department bulletin from Peter Winn, an assistant U.S. attorney in the Seattle office and perhaps the “go-to guy” within the Justice Department on HIPAA.
Winn argued that Swire overstated the case by saying Bradbury had crippled HIPAA. In the bulletin, Winn laid out a strategy that prosecutors could use to still carry out “indirect prosecutions” of HIPAA violators who were not covered entities, even though it meant bootstrapping a HIPAA charge onto another, 1948 criminal statute.
But Winn also conceded in the bulletin that even that strategy has its limits. In the shadow of the Bradbury opinion, federal prosecutors will likely adopt “a conservative approach” to HIPAA and restrict charges to individuals normally involved in “the chain of trust” of routine healthcare recordkeeping and handling “unless the facts are particularly egregious.”
Winn speaks publicly about HIPAA and keeps track of federal HIPAA criminal prosecutions, but he would not discuss how McKay answered the OLC’s request for comment on a draft of its HIPAA opinion. Legislation introduced Sept. 15 by Rep. Pete Stark (D-Calif.) seeks closure of the Bradbury loophole, making sure the criminal provision is applicable to “a person (including an employee or other individual who is not a covered entity) … if the information is maintained by a covered entity … and the person knowingly obtained or disclosed such information without authorization.”
Eric Drew said that he has no trouble believing the government is snooping around in healthcare records, although he said he has no personal knowledge of anyone claiming to be a victim of government scrutiny of their medical information. His suspicion, he said, is rooted in bitter experience.
While Drew praised Loitz, the assistant U.S. attorney in Seattle who handled the prosecution of Gibson, the healthcare worker who victimized him, Drew also said he was given the brushoff when he tried earlier to get someone in the Justice Department or the Federal Trade Commission or any other Washington agency responsible for privacy enforcement to take an interest in his case. (Loitz said there are so many identity theft cases these days, police and prosecutors can’t handle them all, and that’s probably why Drew’s wasn’t embraced sooner.)
Drew said he’s convinced the only reason the government prosecuted Gibson was because it was shamed into doing so. Still critically ill with cancer, Drew hauled himself out of bed and, with the aid of a Seattle TV reporter, did most of the leg work in hunting down Gibson; then, on a TV news program, the reporter broadcast Gibson’s image taken by a cash register security camera at a home improvement store where he was making a credit card purchase in Drew’s name. Gibson was quickly identified. On Nov. 5, 2004, he was sentenced to 16 months in prison under terms of a plea agreement. But, seven months later, Bradbury issued his opinion reversing the legal theory under which Gibson was prosecuted, in that Gibson was an employee of a covered entity, but not a covered entity himself.
According to Drew, Loitz got the conviction, “And then, on June 1, 2005, they said it was a fluke and it shouldn’t be enforced that way.”
Drew said federal prosecutors have been the focus of “a lot of political pressure” by lobbyists representing various healthcare industry groups, including insurance companies, hospitals and physicians, to relax privacy enforcement. But, in Drew’s view, the pressure doesn’t end there.
“The exemption of the health insurance industry for any sort of liability for privacy violations is one piece in the puzzle you’re pursuing,” he said. “They don’t want HIPAA enforced, because it will open up to the world that nothing is being enforced. The government is taking away any private right of action against any of these entities; meanwhile, the CIA and the FBI can tap into any record they want. It is a part of a bigger plan to integrate American identities into a larger identification system.”
“The government, especially this administration, has been pushing for more and more cover over the tracking of information on civilians and they’re doing it over (concerns for) national security,” he said. “But it’s a fine line, and in the name of national security, terrible things have been done. Look how we interned the Japanese in World War II. That was wrong, but in the interest of national security, it wasn’t even questioned at the time. This administration, they might even believe it’s the right thing to do, but we need to be very careful. That information should not be made available without a warrant. If you let an agency decide what they want to do where and when, it’s very, very dangerous.”
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.