Hostname: page-component-8448b6f56d-mp689 Total loading time: 0 Render date: 2024-04-23T11:29:16.004Z Has data issue: false hasContentIssue false
  • English
  • Français

Fourth Amendment Protections of Health Information After Carpenter v. United States: The Devil's In The Database

Published online by Cambridge University Press:  06 January 2021

Ryan Knox
Ryan Knox*
Affiliation:
Schulte Roth & Zabel LLP. J.D., New York University School of Law, 2019; Health Science, Boston University, 2016
Get access Rights & Permissions [Opens in a new window]

Abstract

Every day, companies collect health information from customers and analyze it for commercial purposes. This poses a significant threat to privacy, particularly as the Fourth Amendment protection of this deeply personal information is limited. Generally, law enforcement officers do not need probable cause and a warrant to access these private health information databases; only a subpoena is required, and sometimes nothing at all. The Fourth Amendment protections for health information may, however, have changed after the Supreme Court's 2018 decision in Carpenter v. United States, which held that the Fourth Amendment protects people from warrantless searches of historical cell-site location information possessed by their cell phone providers. The Court explained that, because of the nature of historical cell-site location information, individuals retain a reasonable expectation of privacy despite the information being in the possession of a third party. In reaching its holding, the Supreme Court considered the type of data, the uniqueness of cell-site location information, the impact of technological advancement on privacy, the voluntariness of the disclosure, and the property rights associated with the records. Many of these factors could support heightened Fourth Amendment protection for health information. This Article argues that Carpenter v. United States provides additional protections for future searches of health information in private databases.

Type
Articles
Information
American Journal of Law & Medicine , Volume 45 , Issue 4 , November 2019 , pp. 331 - 355
Copyright
Copyright © American Society of Law, Medicine and Ethics and Boston University 2019

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

All opinions and errors are my own.

1 See Joseph V. DeMarco & Brian A. Fox, Data Rights and Data Wrongs: Civil Litigation and the New Privacy Norms, 128 Yale L. J. F. 1016, 1020 (2019) (footnotes omitted) (“The amount of data we produce each day is staggering. By 2025, the proliferation of data-producing devices and services means that each person with an internet-connected device will have at least one data interaction—sending or receiving from a continually expanding universe of such devices every 18 seconds, or almost 5000 per day. Reports of Cambridge Analytica's mass collection of Facebook user data have raised the public's awareness of some of the potential policy issues raised by the rise of big data. As demonstrated by that episode, even if the average person knows that companies or their cell phone carriers are collecting immense amounts of data about their lives, many may not know where that data winds up. They are often outraged when they find out.”).

2 See infra Section II.A.

3 See infra Section II.B.

4 Charlotte, J. Haug, Whose Data Are They? Can a Patient Perspective Advance the Data-Sharing Debate?, 376 New Eng. J. Med. 2203, 2205 (2017)Google Scholar; W., Nicholson Price et al., Shadow Health Records Meet New Data Privacy Laws, 363 Sci. 448, 449 (2019)Google Scholar.

5 See, e.g., Nathan, Cortez, Substantiating Big Data in Health Care, 14 I/S: J.L. & Pol'y for Info. Soc'y 61, 61 (2017)Google Scholar (“Predictive analytics might help us diagnose diseases more quickly, treat medical conditions more effectively, deploy scarce health resources more efficiently, and even improve the way we maintain our minds and bodies.”).

6 Generally, “‘[b]ig data in healthcare’ refers to the abundant health data amassed from numerous sources including electronic health records (EHRs), medical imaging, genomic sequencing, payor records, pharmaceutical research, wearables, and medical devices.” Healthcare Big Data and the Promise of Value-Based Care, NEJM Catalyst (Jan. 1, 2018), https://catalyst.nejm.org/big-data-healthcare/ [http://perma.cc/5XTM-J6NW] [hereinafter Promise of Value-Based Care]. This Article also includes other sources of health and genetic information outside the medical context, particularly direct-to-consumer genetic testing and phone applications tracking health information.

The general characteristics of big data are volume, variety, and velocity (speed of analysis and access). Some, especially in the health care sector, recommend adding value to the core definition. I. Glenn Cohen et al., Introduction, in Big Data, Health Law, and Bioethics 1 (I. Glenn Cohen, Holly Fernandez Lynch, Effy Vayenea, & Urs Gasser eds., Cambridge Univ. Press, 2018).

7 See Mark Dennis Robinson, Do You Know the Terms and Conditions of Your Health Apps? HIPAA, Privacy and the Growth of Digital Health, Bill of Health (Apr. 3, 2019), http://blog.petrieflom.law.harvard.edu/2019/04/03/do-you-know-the-terms-and-conditions-of-your-health-apps-hipaa-privacy-and-the-growth-of-digital-health/ [https://perma.cc/MMW3-QUNN]; see also Ferguson v. City of Charleston, 532 U.S. 67, 78 (2001) (“The reasonable expectation of privacy enjoyed by the typical patient undergoing diagnostic tests in a hospital is that the results of those tests will not be shared with nonmedical personnel without her consent.”).

Patients “also want some control over how the data are shared. For example, they would be more hesitant to participate if commercial or other interests were involved — for instance, if health care systems wanted to use the data to decide whether to provide care to certain groups or if drug or insurance companies had a commercial interest in them.” Haug, supra note 4, at 2203.

8 See, e.g., David Wagner, Why Healthcare Is A Top Target For Hackers, Health IT Outcomes (Feb. 16, 2018), https://www.healthitoutcomes.com/doc/why-healthcare-is-a-top-target-for-hackers-0001 [https://perma.cc/HX6H-HZDQ]; Bernard Marr, How Big Data Is Changing Healthcare, Forbes (Apr. 21, 2015, 10:50 AM), https://www.forbes.com/sites/bernardmarr/2015/04/21/how-big-data-is-changing-healthcare/#728ce0612873 [https://perma.cc/Q9ZP-GR95] (covering the risk hackers pose to health information security); Frank Pasquale & Tara Adams Ragone, Protecting Health Privacy in an Era of Big Data Processing and Cloud Computing, 17 Stan. Tech. L. Rev. 595 (2014).

9 See, e.g., Thomas May, Sociogenetic Risks — Ancestry DNA Testing, Third-Party Identity, and Protection of Privacy, 379 New Eng. J. Med. 410, 411 (2018); Natalie Ram, Genetic Privacy After Carpenter, 105 Va. L. Rev. (forthcoming 2019) (manuscript at 3-5), http://dx.doi.org/10.2139/ssrn.3265827; Mason Marks & Tiffany Li, DNA donors must demand stronger protection for genetic privacy, STAT (May 30, 2018), https://www.statnews.com/2018/05/30/dna-donors-genetic-privacy-nih/ [https://perma.cc/NJ6D-VDRY].

10 See May, supra note 9, at 411.

11 See id.

12 Carpenter v. United States, 138 S. Ct. 2206, 2222-23 (2018).

13 Id. at 2216-20.

14 See id. at 2218 (“A cell phone faithfully follows its owner beyond public thoroughfares and into private residences, doctor's offices, political headquarters, and other potentially revealing locales.”); see also id. at 2261 (Gorsuch, J., dissenting) (explaining that under the third-party doctrine “the Court came to conclude, the Constitution does nothing to limit investigators from searching records you've entrusted to your bank, accountant, and maybe even your doctor”).

15 See Julian Hattem, Investigators say DNA database can be goldmine for old cases, Associated Press (June 16, 2018), https://www.apnews.com/96ee418316c343649df5d10d2a44c600 [https://perma.cc/EC9Z-5U66].

16 See, e.g., David, W. Bates et al., Big Data In Health Care: Using Analytics To Identify And Manage High-Risk And High-Cost Patients, 33 Health Aff. 1123, 1127 (2014)Google Scholar (discussing examples and potential for big data to improve and inform evidence-based practice).

17 See Cortez, supra note 5, at 66; Promise of Value-Based Care, supra note 6.

18 Cortez, supra note 5, at 68.

19 Cohen et al., supra note 6, at 1.

20 Marr, supra note 8.

21 See Mohana Ravindranath, How your health information is sold and turned into ‘risk scores,’ Politico (Feb. 3, 2019, 6:56 AM), https://www.politico.com/story/2019/02/03/health-risk-scores-opioid-abuse-1139978 [https://perma.cc/R3XB-V5P7].

22 Id.

23 See Valerie, Gay & Peter, Leijdekkers, Bringing Health and Fitness Data Together for Connected Health Care: Mobile Apps as Enablers of Interoperability, 17 J. Med. Internet Res. e260 (2018)Google Scholar; Promise of Value-Based Care, supra note 6.

24 Cohen et al., supra note 6, at 1.

25 Marr, supra note 8.

26 See, e.g., Mason Marks, Emergent Medical Data, Bill of Health (Oct. 11, 2017), http://blog.petrieflom.law.harvard.edu/2017/10/11/emergent-medical-data/ [https://perma.cc/BQ5Q-KQHM] (“A well-known example of corporate mining of [emergent medical data] involves the Target Corporation. In 2012, the New York Times reported that Target hired statisticians to find patterns in its customers' purchasing habits. They discovered that pregnant female shoppers stocked up on unscented body lotion around the start of their second trimester. After making this connection, Target could reach out to expectant mothers with coupons and advertisements before its competitors learned the customers were pregnant. Before Target analyzed the data, buying unscented lotion had no perceived connection to a customer's health.”).

27 While DNA and genetic information are usually treated differently from health information in the Fourth Amendment context, it is important to remember and consider the valuable health information available from genetic analysis. See, e.g., Teneille, R. Brown, Double Helix, Double Standards: Private Matters and Public People, 11 J. Health Care L. & Pol'y 295, 313 (2008)Google Scholar (footnotes omitted) (“A DNA molecule is a source of medical information with predictive powers to estimate an individual's risk of suffering from a wide variety of conditions in the future. Genetic information can be stored just like a patient's written medical record, and can potentially be used and accessed downstream by people who have no relationship with the patient…The potential for extrapolation (and abuse of extrapolation from overstating genetic impact) is huge. Unlike cholesterol or protein levels, genetic sequencing of DNA in the nucleus of blood cells should not fluctuate based on the time of the test.”).

28 See Antonio Regelado, More than 26 million people have taken an at-home ancestry test, MIT Tech. Rev. (Feb. 11, 2019), https://www.technologyreview.com/s/612880/more-than-26-million-people-have-taken-an-at-home-ancestry-test/ [https://perma.cc/65YK-FME8].

29 See Ram, supra note 9, at 19.

30 See id. For a detailed discussion of DNA profiles in law enforcement databases, see Maryland v. King, 569 U.S. 435, 442-46 (2013).

31 See Yael, Bregman-Eschet, Genetic Databases and Biobanks: Who Controls Our Genetic Privacy, 23 Santa Clara Computer & High Tech. L.J. 1, 8 (2006)Google Scholar; Ram, supra note 9, at 21-22.

32 See Bregman-Eschet, supra note 31, at 2 (explaining records from genetic information databases and biobanks are even more revealing and intrusive than medical records); Ram, supra note 9, at 19-21; Researchers produce images of people's faces from their genomes, Economist (Sept. 9, 2017), https://www.economist.com/science-and-technology/2017/09/09/researchers-produce-images-of-peoples-faces-from-their-genomes [https://perma.cc/L27E-JPN7] (discussing using genomics to model an individual's likeness); see also Elizabeth, E. Joh, Policing By Numbers: Big Data and the Fourth Amendment, 89 Wash. L. Rev. 35, 53-54 (2014)Google Scholar (footnotes omitted) (“What is often ignored, however, is that these numbers are generated from biological samples. These samples pose rich data possibilities; information that could be analyzed in different ways for a variety of purposes.”).

33 See Ambry Genetics, https://www.ambrygen.com [https://perma.cc/PK36-LJ3T] (last visited Oct. 13, 2019); Invitae, https://www.invitae.com/en/ [https://perma.cc/3PHJ-FBGK] (last visited Oct. 14, 2019).

34 See, e.g., Relatives In Common Feature, 23andMe, https://customercare.23andme.com/hc/enus/articles/221689668-Relatives-In-Common-Feature [https://perma.cc/727X-NF22] (last visited Oct. 13, 2019); see also Gina Kolata, With a Simple DNA Test, Family Histories Are Rewritten, N.Y. Times (Aug. 28, 2017), https://www.nytimes.com/2017/08/28/science/dna-tests-ancestry.html [https://perma.cc/AG2QT7EQ].

35 See, e.g., Ancestry, https://www.ancestry.com [https://perma.cc/7ESF-8V7W] (last visited Oct. 13, 2019) (Ancestry.com); GEDMatch, https://www.yourdnaguide.com/upload-to-gedmatch [https://perma.cc/4GDW-L9SV] (last visited Oct. 13, 2019) (GEDmatch); 23andMe, https://www.23andme.com [https://perma.cc/QC7X-9XA6] (last visited Oct. 13, 2019) (23andMe).

36 See also Ram, supra note 9, at 8 (footnote omitted).

37 See Bradley, A. Areheart & Jessica, L. Roberts, GINA, BIG Data, and the Future of Employee Privacy, 128 Yale L.J. 710, 714-15 (2019)Google Scholar (citation omitted).

38 Megan Molteni, 23andMe's New Diabetes Test Has Experts Asking Who It's For, Wired (Mar. 10, 2019, 2:00 PM), https://www.wired.com/story/23andmes-new-diabetes-test-has-experts-asking-who-itsfor/ [https://perma.cc/3B53-XMEM]; see also Antonio Regalado, 23andMe thinks polygenic risk scores are ready for the masses, but experts aren't so sure, MIT Tech. Rev. (Mar. 8, 2019), https://www.technologyreview.com/s/613095/23andme-thinks-polygenic-risk-scores-are-ready-for-the-masses-but-experts-arent-so-sure/ [https://perma.cc/C6FK-N4KD].

39 Megan Molteni, The Future of Crime-Fighting Is Family Tree Forensics, Wired (Dec. 26, 2018, 8:00 AM), https://www.wired.com/story/the-future-of-crime-fighting-is-family-tree-forensics/ [https://perma.cc/5FFT-TWHA].

40 Ted Gest, Criminal Justice News Coverage in 2018, Ctr. on media crime & Justice (Feb. 18, 2019), https://thecrimereport.org/2019/02/18/criminal-justice-news-coverage-in-2018/ [https://perma.cc/R9VC-848B].

41 May, supra note 9, at 411.

42 Marks & Li, supra note 9.

43 Ram, supra note 9, at 4-5; Frequently Asked Questions (FAQs) About Snapshot, Parabon Nanolabs, https://snapshot.parabon-nanolabs.com/faq [https://perma.cc/PV2K-SBCV] (last visited Oct. 12, 2019).

44 Albert E. Scherr, Genetic Privacy and the Fourth Amendment: Unregulated Surreptitious DNA Harvesting, 47 Ga. L. Rev. 445, 447 (2013) (footnote omitted) (“In one twist, a sample of DNA from a five-year-old Pap smear of an unsuspecting and unsuspected relative of the infamous BTK killer in Kansas City contributed to his arrest.”); Ari Shapiro, Police Use DNA to Track Suspects Through Family, Nat'l Pub. Radio (Dec. 12, 2007, 12:27 AM), https://www.npr.org/templates/story/story.php?storyId=17130501 [https://perma.cc/T2ME-S6XQ].

45 See U.S. Dep't of Justice Drug Enf't Admin. v. Utah Dep't of Commerce, No. 2:16-cv-611-DNDBP, 2017 WL 3189868, at *1 (D. Utah July 27, 2017) (using PDMP records to investigate a physician); Or. Prescription Drug Monitoring Program v. U.S. Drug Enf't Admin., 998 F. Supp. 2d 957, 961 (D. Or. 2014), rev'd on other grounds, 860 F.3d 1228 (9th Cir. 2017) (using PDMP records to investigate physicians and patients); Williams v. Commonwealth, 213 S.W.3d 671, 674 (Ky. 2006) (using PDMP records to investigate a physician). See generally Jennifer D. Oliva, Prescription Drug Policing: The Right to Protected Health Information Privacy Pre- and Post-Carpenter, 69 Duke L.J, (forthcoming 2020) (discussing privacy issues related to prescription drug monitoring programs).

46 Kate Snow and Jon Schuppe, ‘This is the beginning: Using DNA and genealogy to crack years-old cold cases, NBC News (July 18, 2018, 8:30 AM), https://www.nbcnews.com/news/us-news/just-beginning-using-dna-genealogy-crack-years-old-cold-cases-n892126 [https://perma.cc/Y76X-BYDH].

47 Natalie Ram, Fortuity and Forensic Familial Identification, 63 Stan. L. Rev. 751, 753 (2011) [hereinafter Ram, Fortuity]; see also Natalie Ram, DNA by the Entirety, 115 Colum. L. Rev. 873, 887 (2015) [hereinafter Ram, Entirety] (“Generating whole-genome data significantly increases the ability to match the DNA of close relatives, and to reveal predictive information about relatives' present and future health risks.”).

48 This information is often available to law enforcement without a warrant by request or subpoena. See, e.g., Law Enforcement Access, Elec. Frontier Found., https://www.eff.org/issues/law-enforcement-access (last visited Oct. 12, 2019) (“HIPAA permits the police to use an administrative subpoena or other written request with no court involvement, as long as police include a written statement that the information they want is relevant, material, and limited in scope, and that de-identified information is insufficient. Law enforcement can also bypass judicial and administrative processes under HIPAA to get access to medical records. For example, the police may request medical information directly to identify or locate a suspect, fugitive, witness, or missing person; when a crime has been committed at a health care facility; or when there is a medical emergency involved in a crime. In general, these are permissive disclosures—the covered entity or business associate may refuse.”).

There are also limited statutory protections and guidelines for the information and samples after the service is provided, generally permitting these subsequent law enforcement uses and providing consumers little protection. See Bregman-Eschet, supra note 31, at 19; Tiffany Li & Mason Marks, All secrets revealed in DNA testing. Still want to do it? [Opinion], Houst. Chron. (Aug. 8, 2018, 5:00 AM), https://www.houstonchronicle.com/opinion/outlook/article/All-secrets-revealed-in-DNA-testing-Still-want-13138998.php [https://perma.cc/5E74-RQYV]. See generally Erin Murphy, The Politics of Privacy in the Criminal Justice System: Information Disclosure, the Fourth Amendment, and Statutory Law Enforcement Exemptions, 111 Mich. L. Rev. 485 (2013) (discussing legislative privacy protections and exceptions for law enforcement disclosure).

49 Natalie Jones, Bill seeks to prohibit using DNA databases to solve crime, Associated Press (Feb. 20, 2019), https://www.apnews.com/ddfa055f09e842bdbbbd38c2fba74a1a [https://perma.cc/2CTMV245].

50 See Erin E. Murphy, The Dark Side of DNA Databases, Atlantic (Oct. 8, 2015) https://www.theatlantic.com/science/archive/2015/10/the-dark-side-of-dna-databases/408709/ [https://perma.cc/QV7D-YLNB].

51 See Dieter Holger, DNA Testing for ancestry is more detailed for white people. Here's why, and how it's changing, PCWorld (Dec. 4, 2018, 3:04 AM), https://www.pcworld.com/article/3323366/dna-testing-for-ancestry-white-people.html [https://perma.cc/E97M-9SQZ]. In fact, law enforcement will soon be able to find a DNA match to a second or third cousin of nearly every American of European ancestry using two or three of these major genetic databases. Salvador Hernandez, Using DNA Databases To Find Your Distant Relatives? So Is The FBI., BuzzFeed News (Feb. 7, 2019, 10:25 PM), https://www.buzzfeednews.com/article/salvadorhernandez/using-dna-databases-to-find-your-distant-relatives-so-is [https://perma.cc/Q4BK-VAST] (“With access to two large consumer genealogy libraries, federal investigators now have the potential to find a DNA match as close as a third cousin to more than half of Americans, and the growing popularity of at-home testing kits means it will only get easier with time…. With a database encompassing [seven] million people, or about [five percent] of the population, Erlich said authorities would eventually be able to link nearly every American of European descent to a second cousin, according to the study.”).

52 See Damian Garde, ‘What's my real identity?’: As DNA ancestry sites gather more data, the answer for consumers often changes, STAT (May 22, 2019), https://www.statnews.com/2019/05/22/dna-ancestry-sites-gather-data-shifting-answers-consumers/ [https://perma.cc/AA88-LCN].

53 See id.

54 See Eric Rosenbaum, 5 biggest risks of sharing your DNA with consumer genetic-testing companies, CNBC (June 16, 2018, 2:18 PM), https://www.cnbc.com/2018/06/16/5-biggest-risks-of-sharing-dna-with-consumer-genetic-testing-companies.html [https://perma.cc/V3AF-3AZL].

55 Assurance of Discontinuance, In re Aetna Inc., No. 18-001, 3-4 (Jan. 19, 2018), https://ag.ny.gov/sites/default/files/aetna_aod_0.pdf; DeMarco & Fox, supra note 1, at 1018.

56 NY governor orders probe into Facebook access to data from other Apps, Reuters (Feb. 22, 2019, 2:15 PM), https://www.reuters.com/article/us-facebook-new-york/ny-governor-orders-probe-into-facebook-access-to-data-from-other-apps-idUSKCN1QB2AJ [https://perma.cc/4LAA-V45K].

57 Daisuke Wakabayashi, Google and the University of Chicago Are Sued Over Data Sharing, N.Y. Times (June 26, 2019), https://www.nytimes.com/2019/06/26/technology/google-university-chicago-data-sharing-lawsuit.html?rref=collection%2Fbyline%2Fdaisukewakabayashi&action=click&contentCollection=undefined&region=stream&module=stream_unit&version=latest&contentPlacement=1&pgtype=collection [https://perma.cc/8LBJ-ZNCM].

58 See, e.g., Bates et al., supra note 16, at 1126. See generally Harlan, H. Krumholz, Big Data and New Knowledge in Medicine: The Thinking, Training, And Tools Needed For a Learning Health System, 33 Health Aff. 1163 (2014)Google Scholar; Choong, Ho Lee & Hyung-Jin, Yoon, Medical big data: promise and challenges, 36 Kidney Res. & Clinical Prac. 3 (2017)Google Scholar.

59 See Tina Hesman Saey, What consumer DNA data can and can't tell you about your risk for certain diseases, ScienceNews (June 3, 2018, 6:00 AM), https://www.sciencenews.org/article/health-dna-genetic-testing-disease [https://perma.cc/S5PB-TQWD].

60 See id.

61 Ravindranath, supra note 21.

62 See Maureen Boesen, I Got A Double Mastectomy After A Genetic Test. Then I Learned The Results Were Wrong., HuffPost (Feb. 21, 2019, 9:00 AM), https://www.huffpost.com/entry/brca-genetic-testing-mastectomy_n_5c6c39fbe4b012225acd80d3 [https://perma.cc/643Z-HC64].

63 See Kimberly, Cogdell Boies, Misuse of DNA Evidence is Not Always a Harmless Error: DNA Evidence, Prosecutorial Misconduct, and Wrongful Conviction, 17 Tex. Wesleyan L. Rev. 403, 434-38 (2011)Google Scholar.

64 U.S. Const. amend. IV.

65 Katz v. United States, 389 U.S. 347, 361 (1967) (Harlan, J., concurring) (“a person [must] have exhibited an actual (subjective) expectation of privacy and… the expectation [must] be one that society is prepared to recognize as ‘reasonable.’”); see also Smith v. Maryland, 442 U.S. 735, 740-44 (1979) (adopting the reasonable expectation of privacy framework from Justice Harlan's concurrence in Katz); Griswold v. Connecticut, 381 U.S. 479, 484 (1965) (finding a right to privacy in the penumbras of the First, Third, Fourth, Fifth, and Ninth Amendments).

66 Carpenter v. United States, 138 S. Ct. 2206, 2213 (2018) (quoting Camara v. Mun. Court of S.F., 387 U.S. 523, 528 (1967)).

67 Byrd v. United States, 138 S. Ct. 1518, 1527 (2018) (“[A] person need not always have a recognized common-law property interest in the place searched to be able to claim a reasonable expectation of privacy in it.”).

68 See Katz, 389 U.S. at 361.

69 Arizona v. Gant, 556 U.S. 332, 338 (2009) (quoting Katz, 389 U.S. at 357).

70 Smith, 442 U.S. at 743-44; United States v. Miller, 425 U.S. 435, 443 (1976) (citing United States v. White, 401 U.S. 745, 752 (1971)); see also Paul Ohm, The Many Revolutions of Carpenter, 32 Harv. J.L. & Tech. 357, 362 (2019) (“The third-party doctrine says that information a person voluntarily dis-closes to a third party is not protected by a reasonable expectation of privacy.”).

71 Smith, 442 U.S. at 736 (pen register); Miller, 425 U.S. at 435 (bank records).

72 See, e.g., U.S. Dep't of Justice Drug Enf't Admin. v. Utah Dep't of Commerce, No. 2:16-cv-611-DN-DBP, 2017 WL 3189868, at *8 (D. Utah July 27, 2017) (citing Miller, 425 U.S. at 443; United States v. White, 401 U.S. at 751-52; Williams v. Commonwealth, 213 S.W.3d 671, 681-84 (Ky. 2006).

73 Maryland v. King, 569 U.S. 435, 465 (2013).

74 Id. at 463-64.

75 Riley v. California, 573 U.S. 373, 395-96 (2014).

76 United States v. Jones, 565 U.S. 400, 417 (2012) (Sotomayor, J., concurring) (“[I]t may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age…”).

77 Id. at 415 (citing People v. Weaver, 909 N.E.2d 1195, 1199 (N.Y. 2009)).

78 Carpenter v. United States, 138 S. Ct. 2206, 2212 (2018).

79 Id.

80 Id. at 2211-12.

81 Id.

82 Id. at 2212 (citing 18 U. S. C. § 2703(d)).

83 See U.S. Const. amend. IV (“[N]o Warrants shall issue, but upon probable cause.”).

84 See United States v. Morton Salt Co., 338 U.S. 632, 652-53 (1950) (quoting Okla. Press Publ'g Co. v. Walling, 327 U.S. 186, 208 (1946)); see also See v. City of Seattle, 387 U.S. 541, 544 (1967) (subpoenas must only “be sufficiently limited in scope, relevant in purpose, and specific in directive so that compliance will not be unreasonably burdensome” in order to comport with the Fourth Amendment).

85 Carpenter, 138 S. Ct. at 2212-13.

86 Id. at 2212.

87 Id.; see also United States v. Carpenter, No. CRIM. 12-20218, 2013 WL 6385838, at *7-9 (E.D. Mich. Dec. 6, 2013), aff'd, 819 F.3d 880 (6th Cir. 2016), rev'd, 138 S. Ct. 2206 (2018).

88 Carpenter, 138 S. Ct. at 2213.

89 Id. at 2211.

90 Id. at 2211, 2223.

91 Id. at 2217.

92 Id. at 2213.

93 Id. at 2213-14.

94 Id. at 2214.

95 Id. (quoting United States v. Di Re, 332 U.S. 581, 595 (1948); Boyd v. United States, 116 U.S. 616, 630 (1886)).

96 Id. at 2214.

97 Id.

98 Id. (quoting Kyllo v. United States, 533 U.S. 27, 34 (2001)).

99 Id. at 2214.

100 United States v. Jones, 565 U.S. 400, 404-05 (2012) (finding government's installation of Global-Positioning System device on vehicle to monitor vehicles location constituted a “search” within the meaning of the Fourth Amendment).

101 Carpenter, 138 S. Ct. at 2215.

102 Smith v. Maryland, 442 U.S. 735, 743-44 (1979) (holding no reasonable expectation of privacy in phone numbers dialed where the numbers were collected after telephone company installed a pen register at police request).

103 United States v. Miller, 425 U.S. 435, 443 (1976) (finding no Fourth Amendment interest in bank records maintained in compliance with the Bank Secrecy Act).

104 Carpenter, 138 S. Ct. at 2216.

105 Id. at 2217.

106 See id. at 2220.

107 Id. at 2218.

108 Id. at 2220.

109 Id. at 2217.

110 United States v. Miller, 425 U.S. 435, 442 (1976).

111 Smith v. Maryland, 442 U.S. 735, 741-42 (1979).

112 Carpenter, 138 S. Ct. at 2219 (quoting Miller, 425 U.S. at 442).

113 Id. at 2218.

114 Id. at 2220.

115 See id. at 2219-20.

116 Id. at 2219 (quoting Riley v. California, 573 U.S. 373, 392 (2014)).

117 Id. at 2217.

118 Id. at 2221.

119 Id. at 2220.

120 See id. at 2221-22.

121 Id. at 2222.

122 Id. at 2223.

123 Id. at 2218, 2261.

124 Id. at 2218 (emphasis added) (citing Riley v. California, 573 U.S. 373, 395 (2014)).

125 See id.

126 Id. (citing Riley, 573 U.S. at 385).

127 See generally Missouri v. McNeely, 569 U.S. 141 (2013) (finding blood test for blood alcohol content impermissible without warrant); Ferguson v. City of Charleston, 532 U.S. 67 (2001) (holding mandatory reporting of urine test impermissible); Schmerber v. California, 384 U.S. 757 (1966) (finding warrantless blood tests impermissible). But see Maryland v. King, 569 U.S. 435 (2013) (deciding cheek swab for DNA upon arrest and subsequent database search permissible).

128 Carpenter, 138 S. Ct. at 2261 (Gorsuch, J., dissenting).

129 Id. (emphasis added).

130 Id. at 2262.

131 Id.

132 Id.

133 These factors differ but strongly overlap with those identified by Professor Paul Ohm: “(1) ‘the deeply revealing nature’ of the information;” closely tracking the personal nature of health information discussed in Section A; “(2) ‘its depth, breadth, and comprehensive reach,’” related to the technological advancement permitting the big data analysis at issue with health and genetic information as well as supporting the Court's description of cell-site location information as “unique”; and (3) “the inescapable and automatic nature of its collection,” which is less applicable to this piece given the voluntary participation in the commercial services. See Ohm, supra note 70, at 361.

Professor Ohm concludes that as applied to medical records, lower courts will find their protection to be a close call. See id. at 384. While I agree that there would be significant difficulty in finding additional privacy protection requirements for genetic information, I am optimistic, especially given the emphasis on the nature of the data in the Carpenter calculus, that health information would be given greater protections, as argued in the following sections. See id. at 385.

134 Carpenter, 138 S. Ct. at 2219 (quoting Riley v. California, 573 U.S. 373, 392 (2014)).

135 Id. at 2216.

136 Id. at 2219 (quoting United States v. Miller, 425 U. S. 435, 442 (1976)).

137 See, e.g., Ferguson v. City of Charleston, 532 U.S. 67, 78 (2001) (“The reasonable expectation of privacy enjoyed by the typical patient undergoing diagnostic tests in a hospital is that the results of those tests will not be shared with nonmedical personnel without her consent.”).

Surveys have shown, however, that individuals' concern for health and genetic privacy varies. See Ellen Wright Clayton et al., The law of genetic privacy: applications, implications, and limitations, J.L. & Biosci. 1, 4 (2019) [hereinafter The law of genetic privacy] (citations omitted) (“People also vary widely in how much they are concerned about genetic privacy and privacy in general.”).

138 See Douglas v. Dobbs, 419 F.3d 1097, 1102 (10th Cir. 2005); Tucson Woman's Clinic v. Eden, 379 F.3d 531, 550 (9th Cir. 2004); Doe v. Broderick, 225 F.3d 440, 451 (4th Cir. 2000); Anderson v. Romero, 72 F.3d 518, 522 (7th Cir. 1995); Doe v. Se. Pa. Transp. Auth., 72 F.3d 1133 (3d Cir. 1995); In re Search Warrant (Sealed), 810 F.2d 67, 71 (3d Cir. 1987) (“[M]edical records are clearly within this constitutionally protected sphere.”); State v. Skinner, 10 So. 3d 1212 (La. 2009); State v. Welch, 624 A.2d 1105, 1109 (Vt. 1992); see also United States v. Kravetz, 706 F.3d 47, 63 (1st Cir. 2013) (“Medical information is … universally presumed to be private, not public.”); Kerns v. Bader, 663 F.3d 1173, 1184 (10th Cir. 2011) (“[A] patient has a privacy interest in medical records held by a third party medical services provider.”); A.L.A. v. West Valley City, 26 F.3d 989, 990 (10th Cir. 1994) (“There is no dispute that confidential medical information is entitled to constitutional privacy protection.”); Doe v. City of New York, 15 F.3d 264, 267 (2d Cir. 1994) (“Extension of the right to confidentiality to personal medical information recognizes there are few matters that are quite so personal as the status of one's health, and few matters the dissemination of which one would prefer to maintain greater control over.”); In re Search Warrant (Sealed), 810 F.2d 67, 71 (3d Cir. 1987) (“[M]edical records are clearly within this constitutionally protected sphere.”); King v. State, 535 S.E.2d 492, 495 (Ga. 2000) (“[A] patient's medical information, as reflected in the records maintained by his or her medical providers, is certainly a matter which a reasonable person would consider to be private.”); Commonwealth v. Riedel, 651 A.2d 135, 139-40 (Pa. 1994) (finding “appellant does have a reasonable expectation of privacy in his medical records”).

Still, many other courts have found that mandatory reporting statutes or the fact that a patient has gone to a third party (the doctor) diminishes or destroys Fourth Amendment Protection. See U.S. Dep't of Justice Drug Enf't Admin. v. Utah Dep't of Commerce, No. 2:16-cv-611-DN-DBP, 2017 WL 3189868, at *8 (D. Utah July 27, 2017); State v. Russo, 790 A.2d 1132, 1152 (Conn. 2002); Williams v. Commonwealth, 213 S.W.3d 671, 683 (Ky. 2006); State v. Weidman, 835 N.W.2d 698, 709-13 (Neb. 2013); Stone v. Stow, 593 N.E.2d 294 (Ohio 1992).

139 Or. Prescription Drug Monitoring Program v. U.S. Drug Enf't Admin., 998 F. Supp. 2d 957, 964 (D. Or. 2014), rev'd on other grounds, 860 F.3d 1228 (9th Cir. 2017) (“The Hippocratic Oath has contained provisions requiring physicians to maintain patient confidentiality since the Fourth Century B.C.E.”); see also Jaffee v. Redmond, 518 U.S. 1, 10 (1996) (discussing psychotherapist patient privilege).

Many states have legislated to protect the doctor-patient privilege. See, e.g., Ariz. Rev. Stat. Ann. § 12-2235 (2019); Cal. Evid. Code § 992 (West 2019); Colo. Rev. Stat. Ann. § 13-90-107(d) (West 2019); Conn. Gen. Stat. Ann. § 52-146o (West 2013); Haw. Rev. Stat. Ann. § 626-1, Rule 504 (West 2019); Idaho Code Ann. § 9-203.4 (West 2015); 735 Ill. Comp. Stat. Ann. 5/8-802 (West 2019); Ind. Code Ann. § 34-46-3-1 (West 2019); Iowa Code Ann. § 622.10 (West 2015); Kan. Stat. Ann. § 60-427 (West 2018); La. Stat. Ann. § 13:3734 (2018); Me. R. Evid. 503 (West 2019); Mich. Comp. Laws Ann. § 600.2157 (West 2013); Minn. Stat. Ann. § 595.02(d) (West 2013); Miss. Code Stat. Ann. § 13-1-21 (West 2019); Mo. Ann. Stat. § 491.060 (West 2018); Mont. Code Ann. § 26-1-805 (West 2019); N.H. Rev. Stat. Ann. § 329:26 (West 2008); N.J. Stat. Ann. § 2A:84A-22.2 (West 2019); N.M. R. Evid. 11-504 (West 2019); Ohio Rev. Code Ann. § 2317.02(B) (West 2017); Okla. Stat. tit. 12, § 2503 (West 2019); Or. Rev. Stat. Ann. § 40.235 (West 2019); 42 Pa. Stat. and Cons. Stat. Ann. § 5929 (West 2019); 5 R.I. Gen. Laws Ann. § 5-37.3-4 (West 2019); S.D. Codified Laws § 19-19-503 (2019); Vt. Stat. Ann. tit. 12, § 1612 (West 2019); Va. Code Ann. § 8.01-399 (2009); Wash. Rev. Code Ann. § 5.60.060 (West 2019); Wis. Stat. Ann. § 905.04 (West 2018); Wyo. Stat. Ann. § 1-12-101 (West 2019). But see Whalen v. Roe, 429 U.S. 589, 602 n.28 (1977) (noting no federally recognized doctor-patient privilege).

140 Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified in scattered sections of 42 U.S.C.).

While many courts take legislation into account when deciding Fourth Amendment cases, some scholars have argued for removing legislation and judgments of Congressional intent from Fourth Amendment analysis. See Orin S. Kerr, The Effect of Legislation on Fourth Amendment Protection, 115 Mich. L. Rev. 1117, 1158-65 (2017).

141 Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110-233, 122 Stat. 881 (codified in scattered section of 42 U.S.C.).

142 See generally id. (restricting disclosure of genetic information by employers, employment agencies, labor organizations, and joint labor management committees); Health Insurance Portability and Accountability Act (recognizing importance of confidentiality and privacy in healthcare information).

143 See 45 C.F.R. § 160.103 (2014) (applying to health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically).

144 W. Nicholson Price II & I. Glenn Cohen, Privacy in the Age of Medical Big Data, 25 Nature Med. 37, 41 (2019); Ram, Entirety, supra note 47, at 894.

145 45 C.F.R. § 160.103 (2014). Covered entities are healthcare providers, health plans, or healthcare clearinghouses. Id. Business associates are companies that conduct certain billing or data analysis services for covered entities. Id.

146 Consulting companies and research entities generally do not qualify as covered entities or business associates. Companies that provide the genetic analysis for commercial purposes also likely do not qualify unless they qualify as healthcare providers. Thus, the majority of the private companies with health information databases discussed in this article are not regulated by HIPAA or GINA.

147 See 45 C.F.R. § 164.306(a)(1) (2018) (Privacy Rule); 45 C.F.R. § 164.312 (Security Rule); see also 45 C.F.R. § 164.306(d)(3)(i) (making addressable standards mandatory if they are “reasonable and appropriate”).

148 Price & Cohen, supra note 144; Ram, Entirety, supra note 47, at 894.

149 Price & Cohen, supra note 144.

150 See Bob, Brown, Disclosing Protected Health Information to Law Enforcement Agencies, 8 J. Health Care Compliance 33, 33 (2006)Google Scholar.

151 Stephen, D. Lapatin, Comment, Rhode Island's Prescription Drug Database: Warrantless Searches by Law Enforcement Pass Constitutional Muster, 23 Roger Williams U.L. Rev. 526, 535 (2018)Google Scholar (citing 45 C.F.R. § 164.512(f)(1)(ii)(C) (2017)).

152 21 U.S.C. § 876(a) (2012). This subpoena power has been repeatedly challenged based on the expectation of privacy in prescription records, to differing results. Compare Or. Prescription Drug Monitoring Program v. U.S. Drug Enf't Admin., 998 F. Supp. 2d 957, 967 (D. Or. 2014), rev'd on other grounds, 860 F.3d 1228 (9th Cir. 2017) (finding the administrative subpoena violates the Fourth Amendment in the prescription drug monitoring program context) with U.S. Dep't of Justice Drug Enf't Admin. v. Utah Dep't of Commerce, No. 2:16-cv-611-DN-DBP, 2017 WL 3189868, at *8-9 (D. Utah July 27, 2017) (finding that the use of the administrative subpoena does not implicate Fourth Amendment protections).

153 Kirsten, Dedrickson, Universal DNA Databases: A Way to Improve Privacy?, 4 J.L. Biosci. 637, 638 (2017)Google Scholar; 23&you – Warrantless Searches of Familial DNA, Health Law & Policy Brief (Jan. 23, 2019, 7:23 PM), http://www.healthlawpolicy.org/23you-warrantless-searches-of-familial-dna/ [https://perma.cc/VC56-HNJH] (“Courts might rule that, like historical cell site information from a suspect's cellphone, genetic information provides an intimate window into a person's personal life. But this is unlikely since the courts allow law enforcement to obtain DNA samples from suspects and analyze the sample by running it through criminal databases.”).

154 Maryland v. King, 569 U.S. 435, 465-66 (2013).

155 See Nicholas, D. Wolff & Jon, A. Wolff, A Commentary on Commercial Genetic Testing and the Future of the Genetic Counseling Profession, 27 J. Genetic Counseling 521, 521 (2018)Google Scholar.

156 See Emilia, Niemiec & Heidi, Carmen Howard, Ethical Issues in Consumer Genome Sequencing: Use of Consumers' Samples and Data, 8 Applied & Translational Genomics 23, 24 (2016)Google Scholar (describing uses for which companies keep genetic information, most of which consumers are unaware and none of which are the purpose for which the data was collected).

157 See Clayton et al., supra note 137, at 29 (“The founders of GEDMatch report that more people support the use of data to identify potential criminals than object.”).

158 See Ohm, supra note 70, at 371 (citing Orin S. Kerr, Four Models of Fourth Amendment Protection, 60 Stan. L. Rev. 503, 512-15 (2007)).

159 See Carpenter, 138 S. Ct. at 2217 (“Given the unique nature of cell phone location records, the fact that the information is held by a third party does not by itself overcome the user's claim to Fourth Amendment protection.”); id. at 2220 (“Given the unique nature of cell phone location information, the fact that the Government obtained the information from a third party does not overcome Carpenter's claim to Fourth Amendment protection.”); id. at 2226 (Kennedy, J., dissenting) (“Cell-site records were uniquely suited to this task.”).

160 See, e.g., id. at 2232 (Kennedy, J., dissenting) (“Still, the Court maintains, cell-site records are ‘unique’ because they are ‘comprehensive’ in their reach; allow for retrospective collection; are “easy, cheap, and efficient compared to traditional investigative tools”; and are not exposed to cell phone service providers in a meaningfully voluntary manner.”).

161 See, e.g., Missouri v. Holland, 252 U.S. 416, 433 (1920) (“The case before us must be considered in the light of our whole experience and not merely in that of what was said a hundred years ago.”); see also Orin, S. Kerr, Applying the Fourth Amendment to the Internet: A General Approach, 62 Stan. L. Rev. 1005, 1009 (2010)Google Scholar (“Technology provides new ways to do old things more easily, more cheaply, and more quickly than before. As technology advances, legal rules designed for one state of technology begin to take on unintended consequences. If technological change results in an entirely new technological environment, the old rules no longer serve the same function. New rules may be needed to reestablish the function of the old rules in the new technological environment.”). But see City of Ontario v. Quon, 560 U.S. 746, 759 (2010) (Kennedy, J.) (“The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear.”). See generally Andrew Guthrie Ferguson, The “Smart” Fourth Amendment, 102 Cornell L. Rev. 547 (2017) (discussing how various smart device technologies interact with the Fourth Amendment).

162 See, e.g., Carpenter, 138 S. Ct. at 2232 (Kennedy, J., dissenting) (citations omitted) (“Still, the Court maintains, cell-site records are ‘unique’ because they are ‘comprehensive’ in their reach; allow for retrospective collection; are ‘easy, cheap, and efficient compared to traditional investigative tools’; and are not exposed to cell phone service providers in a meaningfully voluntary manner.”).

163 See Marr, supra note 8; see also Cortez, supra note 5, at 65.

164 See Marr, supra note 8.

165 Kyllo v. United States, 533 U.S. 27, 35, 37 n.4 (2001); Jeffrey M. Skopek, Big Data's Epistemology and Its Implications for Precision Medicine and Privacy, in Big Data, Health Law, and Bioethics 39 (I. Glenn Cohen, Holly Fernandez Lynch, Effy Vayenea, & Urs Gasser eds., Cambridge Univ. Press, 2018).

166 See Skopek, supra note 165, at 40.

167 See, e.g., Boesen, supra note 62.

168 Others have discussed the risks of analysis and correlation to justify other exceptions to the warrant requirement of the Fourth Amendment, for example the exigency requirement. See Mason Marks, Artificial Intelligence Based Suicide Prevention, Yale J. Health Pol'y L. & Ethics (forthcoming) (draft at 29) (available at https://ssrn.com/abstract=3324874) (“[I]t may be unreasonable to rely on opaque AI-generated suicide predictions to circumvent Fourth Amendment protections when no information regarding their accuracy is publicly available…Facebook and Crisis Text Line make suicide predictions based on internal data rather than data from real suicides. We don't know how accurate their predictions are, what criteria they use to decide when law enforcement should be contacted, or what information they provide to police. Exceptions to the warrant requirement should not be made based on such paltry information.”).

169 Tal, Z. Zarsky, Correlation versus Causation in Health-Related Big Data Analysis: The Role of Reason and Regulation, in Big Data, Health Law, and Bioethics 55 (I. Glenn Cohen, Holly Fernandez Lynch, Effy Vayenea, & Urs Gasser eds., Cambridge Univ. Press, 2018)Google Scholar.

170 This too could change as the technology advances. While the health information would likely remain entitled to heightened protection due to the nature of the information, the intrusions associated with big data and the risks associated with false positives would be less compelling as the technology becomes more available and the algorithms become more accurate.

171 Carpenter v. United States, 138 S. Ct. 2206, 2220 (2018).

172 See id. at 2219.

173 See id. at 2220.

174 See id.

175 See Cortez, supra note 5, at 63.

176 See, e.g., Or. Prescription Drug Monitoring Program v. U.S. Drug Enf't Admin., 998 F. Supp. 2d 957, 967 (D. Or. 2014), rev'd on other grounds, 860 F.3d 1228 (9th Cir. 2017) (“The submission of prescription information to the PDMP is required by law. The only way to avoid submission of prescription information to the PDMP is to forgo medical treatment or to leave the state. This is not a meaningful choice.”).

177 See Carpenter v. United States, 138 S. Ct. 2206, 2223-24 (2018) (Kennedy, J., dissenting) (“individuals have no Fourth Amendment interests in business records which are possessed, owned, and controlled by a third party.”); id. at 2241-43 (Thomas, J., dissenting) (discussing cell-site location information as business records with no expectation of privacy); id. at 2257 (Alito, J., dissenting) (arguing that the majority's holding “cannot be defended under either a property-based interpretation of [the Fourth] Amendment or our decisions applying the reasonable-expectations-of-privacy test adopted in Katz.”).

178 Carpenter, 138 S. Ct. at 2272 (Gorsuch, J., dissenting).

179 William, Baude & James, Y. Stern, The Positive Law Model of the Fourth Amendment, 129 Harv. L. Rev. 1821, 1825 (2016)Google Scholar; see also Ohm, supra note 70, at 413.

180 See Who Owns Medical Records: 50 State Comparison, Health Info. & the Law (Aug. 20, 2015), http://www.healthinfolaw.org/comparative-analysis/who-owns-medical-records-50-state-comparison [https://perma.cc/8YKN-WU6U]. The exception is New Hampshire, where patients own their medical records. Id.

However, some states have passed statutes granting individuals property rights in their genetic information. See Amy, L. McGuire et al., Who Owns the Data in Medical Information Commons?, 47 J.L., Med. & Ethics 62, 66 (2019)Google Scholar (discussing Alaska, Colorado, Florida, Georgia, and Louisiana state statutes granting individuals property rights in their genetic information).

181 See Jessica, L. Roberts, Progressive Genetic Ownership, 93 Notre Dame L. Rev. 1105, 1121-1133 (2018)Google Scholar (discussing theories of genetic ownership and noting that people do generally do not have property rights in their genetic material).

182 See id. at 1123 (explaining how different entities may claim ownership of genetic information give that “[a] research who develops an immortal cell line from a human cancer cell might assert that she should own the result because of her scientific efforts,” and similarly, “the provider of the cancer cell could likewise claim ownership because the cell line was made possible by her unique genetic information”).

183 See id. at 1123-24.

184 See Who Owns Medical Records: 50 State Comparison, supra note 180.

185 Wendy, K. Mariner, Reconsidering Constitutional Protection for Health Information Privacy, 18 U. Pa. J. Const. L. 975, 1010 (2016)Google Scholar (“Scholarly views of medical record ownership vary, with some commentators arguing that while the provider may own the record, the patient owns the information in the record.”); McGuire et al. supra note 180, at 65 (“in some jurisdictions, patients may own their data albeit not their physical [medical] records”).

For further discussion of health and genetic information as property and the challenges of this inquiry, see Roberts, supra note 181; Jorge L. Contreras, Do You Own Your Genetic Test Results? What About Your Temperature?, Bill of Health (May 13, 2019), http://blog.petrieflom.law.harvard.edu/2019/05/13/doyou-own-your-genetic-test-results-what-about-your-temperature/ [https://perma.cc/KMS6-9VNF].

186 Haug, supra note 4, at 2205. On the other hand, giving individuals property rights to their data could have significant ramifications outside of the Fourth Amendment context, potentially stifling medical research and innovation.

For a discussion of additional challenges in the Fourth Amendment analysis computer data searches and seizures, see Orin, S. Kerr, Fourth Amendment Seizures of Computer Data, 119 Yale L.J. 700 (2010)Google Scholar.

187 45 C.F.R. § 164.524 (2014).

188 See The Law and Medical Privacy, Elec. Frontier Found., https://www.eff.org/issues/lawand-medical-privacy [https://perma.cc/GC8Z-ERZ5] (last visited Nov. 4, 2019) (collecting California privacy laws).

189 See Margot E. Kaminski, Carpenter v. United States: Big Data Is Different, Geo. Wash. L. Rev.: On The Docket (July 2, 2018), https://www.gwlr.org/carpenter-v-united-states-big-data-is-different/ [https://perma.cc/E6VY-AYM6] (“The central, narrow holding in Carpenter is that in the age of Big Data, detailed historic location information is now sensitive information. A person can have a reasonable expectation of privacy in it, despite having ventured through public places. This evidences two important moves in the Court's reasoning about Big Data: (1) an understanding that formerly categorically nonsensitive data can become categorically sensitive through the inferences one makes using it; and (2) the beginning of an understanding that the law should protect sensitive inferences themselves, regardless of the sensitivity of the underlying data being revealed.”).

190 See id.

191 See discussion supra Sections III.A, III.B.3.

192 Sejin, Ahn, Whose Genome is it Anyway?: Re-identification and Privacy Protection in Public and Participatory Genomics, 52 San Diego L. Rev. 751, 775-76 (2015)Google Scholar.

193 Kaminski, supra note 189.

194 See Marks & Li, supra note 9.

195 Id. (citing Mason Marks, Facebook Should ‘First Do No Harm’ When Collecting Health Data, Bill of Health (Apr. 20, 2018), http://blogs.harvard.edu/billofhealth/2018/04/20/facebook-should-first-dono-harm-when-collecting-health-data/ [https://perma.cc/6H5P-FUP2]).

196 U.S. Dep't of Justice Drug Enf't Admin. v. Utah Dep't of Commerce, No. 2:16-cv-611-DNDBP, 2017 WL 3189868, at *3 (D. Utah July 27, 2017) (federal Controlled Substances Act granting DEA subpoena power preempted Utah state law requiring a warrant to access the state controlled substances database).