In NSA Appeals, DOJ Misleads About Medical and Financial Records

Earlier this week, the Ninth Circuit heard oral arguments in a challenge to the NSA’s phone metadata program. While watching, I noticed some quite misleading legal claims by the government’s counsel. I then reviewed last month’s oral arguments in the D.C. Circuit, and I spotted a similar assertion.

In both cases, the government attorney waved away constitutional concerns about medical and financial records. Congress, he suggested, has already stepped in to protect those files.

With respect to ordinary law enforcement investigations, that’s only slightly true. And with respect to nation security investigations, that’s really not right.

Medical Records

During Smith, the Ninth Circuit case, there was an extended line of questioning about various sorts of business records. Judge Hawkins kicked it off:

Suppose the National Security Agency wanted access to all utility records. Nationwide. Would that rationale apply?

Subsequent discussion touched on hotel and financial records. Then Judge McKeown asked:

What about medical records?

The Department of Justice attorney responded:

Well medical records, Judge McKeown I’m so glad you asked that because this is really an important point, medical records would be subject to HIPAA, among other protections.

A similar question in Klayman, the D.C. Circuit case, drew a similar response.

HIPAA, in your example Judge Brown, would govern the restrictions, would impose restrictions on the proper use of medical information.

Later in the Smith argument, counsel reemphasized the importance of HIPAA, including:

But I think the significance of HIPAA can’t be discounted.

By way of background, the Health Insurance Portability and Accountability Act is the primary federal law that addresses health records. Under HIPAA, the Department of Health and Human Services is empowered to promulgate detailed privacy rules.

Here’s the catch: the HIPAA privacy rules have special exceptions for law enforcement and national security investigations.

The law enforcement provision is very broad. It covers all the usual police procedures, including subpoenas. Those don’t require a judge’s advance permission, and they also require much less basis than probable cause.

The national security exception is, of course, even more pertinent to the Smith and Klayman cases. And it’s even broader.

A covered entity may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g., Executive Order 12333).

In non-legalese: HIPAA just doesn’t apply to the NSA.1 And yet, in two separate NSA appeals, the government has emphasized HIPAA.2

Financial Records

In the Smith argument, government counsel twice noted that Congress has enacted privacy protections for financial records.

Following Miller, Congress enacted the financial privacy protections by statute.

In response to Miller, that Congress enacted a bank records protection of privacy . . .

Similarly, in Klayman:

For example, following the Miller case, Congress passed a statute governing the secrecy of bank records.

As background, United States v. Miller held that routine financial records are not protected by the Fourth Amendment. Two years later, Congress passed the Right to Financial Privacy Act… which largely codified Miller. Law enforcement agencies can still access financial records with just a subpoena.3

What’s more, RFPA includes a special set of national security procedures. Federal grand jury subpoenas and warrants aren’t covered by RFPA, so long as the investigating agency self-certifies “there may result a danger to the national security of the United States.”

RFPA also includes a National Security Letter provision. In counter-intelligence and counter-terrorism investigations, the FBI (and, by proxy, the NSA) doesn’t even need a grand jury subpoena. It can demand financial records with a mere self-certification.

So, once again: in a national security appeal, why emphasize privacy protections that don’t extend to national security investigations?

Section 215 of the USA PATRIOT Act

The precise statutory provision at issue in Smith and Klayman is Section 215 of the USA PATRIOT Act. It allows FBI (and NSA) access to any business records when conducting a counter-intelligence or counter-terrorism investigation.4 A FISA judge’s approval is required, though the standard for issuance is very low.

Section 215 covers medical records. A part of the statute, in fact, expressly addresses them.

Section 215 also covers financial records. In a 2010 opinion, the FISA Court held as much. And, in fact, the CIA operates a bulk financial surveillance program under Section 215.

In sum: not only are national security investigations generally outside HIPAA and RFPA, but the very same authority at issue in Smith and Klayman allows access to medical and financial records.

Concluding Thoughts

Reasonable minds can disagree on whether the government’s representations in Smith and Klayman were literally false. At minimum, they were highly misleading.

United States privacy law is notoriously convoluted. But this much is certain: medical and financial records are, by statute and rule, readily available to the intelligence community. The executive branch shouldn’t even hint otherwise.

Thanks to the colleagues who provided feedback on the legal analysis in this post. All views are solely my own.

1. In most instances of domestic surveillance, NSA requests are passed through the FBI. Since the National Security Act designates the FBI as a member of the intelligence community, its national security investigations are also unregulated by HIPAA.

2. In a charitable interpretation, the attorney misspoke while attempting to note that Congress can craft more nuanced privacy rules than the courts, and that Congress can provide privacy protections beyond the Fourth Amendment. Those points are undoubtedly true, though undoubtedly known to the judges.

3. A plain reading of RFPA suggests some privacy protection: targets receive advance notice of a subpoena and have an opportunity to contest the subpoena. In everyday practice, however, RFPA’s delayed notice provisions have swallowed the rule. Law enforcement agencies routinely obtain court orders that both eliminate the advance notice requirement and temporarily gag financial institutions from disclosure.

4. Where U.S. persons aren’t involved, any foreign intelligence purpose is sufficient.