Using your medical records to convict your family

The San Francisco Chronicle has posted a story about the Kansas BTK killings that brings to light the privacy issues with family-wide medical records.

[Detectives] learned that Rader had a daughter who had attended Kansas State University, and they reasoned that at some point she must have used the medical clinic, said Wichita police Lt. Ken Landwehr. “It was suggested that she probably had a Pap smear,” he said. Federal law requires that labs keep Pap smears for five years, principally in case of legal challenges over diagnoses.

The prosecutors obtained a subpoena and a court order for the daughter’s specimen to compare with BTK’s DNA. An exemption in the Family Educational Rights and Privacy Act allows law enforcement to obtain a student’s health data with a court order.

“It was obviously good detective work,” said Nola Tedesco Foulston, the prosecutor in the case.

At the same time, said George Washington University law professor Sonia Suter, “it is so troubling to think that somebody would have a sample taken for her medical welfare that is then used to implicate her father.”

I remember reading about the BTK case, but never heard this side of the story. It certainly begs the question of prior-consent. Should it be required from one member of a family to release their own identity evidence that could implicate another? And that is just the beginning of what looks like an ethical quagmire.

I really like this quote from a man in New York:

As things stand in some states, lab analysts who discover a potential suspect in this way may not be permitted to share that information with investigators. Such a policy, said William Fitzpatrick, a New York state district attorney, “is insanity. It’s disgraceful. If I’ve got something of scientific value that I can’t share because of imaginary privacy concerns, it’s crazy. That’s how we solve crimes.”

Imaginary? According to US federal compliance requirements for personal identity information, as conveniently documented in HIPAA, privacy concerns are very real and very regulated.

The details of the BTK case remind me of a college philosophy professor of mine who once explained that he gave up practicing law after he grew frustrated trying to defend people against law enforcement officers who flagrantly and repeatedly violated individual privacy. Apparently he thought arguing the case for people after they had experienced a violation was ineffective compared with trying to explain ethics to students. Or maybe he just thought it less stressful.

The Supreme Court has repeatedly held that authorities may not conduct searches for general law enforcement purposes without individualized suspicion. Although convicted criminals have a diminished right to privacy, searching a database for unknown kin might violate that principle, said Jeffrey Rosen, a George Washington University law professor. “The idea of holding people responsible for who they are rather than what they’ve done challenges deep American principles of privacy and equality,” he said. “Although the legal issues aren’t clear, the moral ones are vexing.”

The article is definitely worth a read; really brings forward the underlying challenge of good/fair governance that plagues compliance and control objectives.

Edited to add (May 9, 2008):

The LA Times published an article on this topic titled “California takes lead on DNA crime-fighting technique“.

Funny title. You would think it would be a crime in America to take your DNA without your consent. It is not, and the Times apparently thinks this development makes California a “leader” in fighting crime:

The policy, which takes effect immediately, is designed to work like this: The state’s crime lab will tell police about DNA profiles that come up during routine searches of California’s offender database and closely resemble, but do not match, the DNA left at a crime scene. (Previously, the state refused to tell police about these partial matches.)

The lab will then perform calculations and tests to determine the likelihood of a biological relationship between the person found in the database and the unknown offender believed to have left DNA at the crime scene.

When such partial matches do not surface or fail to produce a lead, a more customized familial search can be done in which computer software scans the database proactively for possible relatives. The software measures the chance of two people being related based on the rarity of the markers they share.

So, California is the first state to require a “customized familial search” and supposedly has a set of safety measures — family DNA privacy is violated only after all other leads run dry. The LA Times does not give any details other than to say they exist. Not very convincing.

Consider, for example, the following comment on a Washington Post story about the same:

The secret use of Ms. Rader’s DNA is reprehensible, and certainly would not pass a constitutional challenge. However, to make it very clear, we do need a federal law that would ban the use of DNA taken from a non-suspect for a specific purpose from being used WITHOUT CONSENT for different purposes having to do with other people. Additionally, in the Rader case, has anyone considered that this is simply laziness by the police force? Dennis Rader was already the prime suspect; why did they not obtain DNA from the suspect himself — a cup, tissue, straw, cigarette, utensil, etc? As with fingerprints, that is not prohibited by the 5th Amendment.

Excellent insight.

Incidentally, the new law in California is backed by Jerry Brown, a former governor who defeated Ronald Reagan in the 1966 election. He is known for things like opposition to the death penalty, opposition to the Vietnam War and hosting a populist talk-show radio program on Pacifica Radio in Berkeley. Not exactly the sort of guy you would expect to be in this anti-privacy position.

The LA Times article quotes Brown to give his perspective:

Brown said the new approach was justified by violent crime plaguing the state. He emphasized that it would be used only when all other leads had been exhausted.

“We have 2,000 murders a year in California — that is 10,000 since the Iraq war started — and that is a lot of killing,” Brown said. “When you see it and see the victims and have to go to funerals, it is pretty serious stuff.”

I can understand if a suspect search is done in terms specific to that person (e.g. tall, dark, light, fat, wearing x, y, z) but searching through a family’s private records without their consent appears to be a step backwards in terms of security and safety of the public. I suspect (no pun intended) that there are better methods to explore that would reduce violent crime without significant loss of privacy. I fear bad management of this provision and expanded access to DNA data will do more damage than good.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.