The recent proposal by the United States Secretary of Health and Human Services, Robert F. Kennedy Jr., to create a federal autism registry has sparked significant debate about government access to private medical information. This raised alarm with groups like the Autistic Self Advocacy Network (ASAN). The organization published a statement expressing its concern about the implications of a registry that may expose the PHI or PII of autistic people.
In their public statement, ASAN expressed grave concerns about the potential exposure of protected health information for autistic individuals. The organization notes that the current administration has a poor track record on protecting vulnerable populations. This ongoing controversy highlights an important question for healthcare providers, compliance officers, and privacy-conscious citizens: Under what circumstances can federal agencies legally access Americans’ medical records? The answer lies in HIPAA’s careful balance between privacy protections and provisions that allow using de-identified data for legitimate public health needs.
HIPAA’s Privacy Framework and the Registry Proposal
Core Privacy Protections
The Health Insurance Portability and Accountability Act (HIPAA) establishes strict limitations on disclosing protected health information without the patient’s consent. HIPAA permits sharing only in three specific circumstances: for treatment purposes, payment processing, and healthcare operations. A broad autism registry would struggle to qualify under any of these exceptions.
HIPAA’s “Minimum Necessary” standard presents another significant barrier. This requirement stipulates that only the essential health information necessary for a specific purpose can be shared. The 2017 case against Memorial Hermann Health System illustrates the seriousness with which regulators take this principle. The health system faced a $5.1 million penalty for sharing more patient data than necessary, even though the disclosure was well-intentioned.
Questionable Legal Pathways
Proponents might argue that the public health exemption (§ 164.512(b)) permits limited instances of PHI disclosure for disease tracking. However, this exception specifically applies to communicable diseases, which autism is not. Other potential avenues raise their concerns. This is not a good argument for several reasons. The public health exemption (§ 164.512(b)) only applies to communicable diseases. Neurotype differences, such as autism, do not qualify.
In addition, RFK Jr. and the administration he serves under have cut budgets and research programs across the board. Read more about those powers in the CDC’s Field Epidemiology Manual. The Trump administration’s purposeful weakening and defunding of bodies like the CDC that do have extraordinary abilities to hold Americans without due process to prevent the spread of communicable disease, which autism is, obviously, not.
The PATRIOT Act has been used to access mental health records under national security claims, though such actions remain legally controversial. Similarly, the CDC’s quarantine authority is intended for genuine public health emergencies. Like most federal agencies, the CDC has seen its capabilities weakened by significant budget cuts in recent weeks.
Inadequate Data Protections
Privacy Risks and Legal Challenges
Even if legal hurdles are cleared, substantial practical privacy concerns remain. Research shows that supposedly de-identified health data can often be re-linked to individuals through modern data analysis techniques. State laws, such as California’s Confidentiality of Medical Information Act, impose additional consent requirements that would complicate the establishment of a national registry.
California isn’t the only state with legislation that could create an issue for enacting this type of surveillance. Illinois’s $5,000 per violation fines could potentially bankrupt a poorly executed registry of PHI/PII. These fines first arose as a provision of the Biometric Information Privacy Act (BIPA). The law itself came about in response to the verdict reached in Rosenbach v. Six Flags after Six Flags took and stored Stacy Rosenbach’s son’s fingerprints without her consent in purchasing his season pass.
International implications also matter. The European Union’s General Data Protection Regulation would pose compliance challenges for any registry that came about in response to the verdict reached in Rosenbach v. Six Flags after Six Flags took and stored Stacy Rosenbach’s son’s fingerprints without her consent to maintain the health data of EU citizens residing in the United States. Layered protections like these exist for good reason, as ASAN emphasized in their statement about the need for rigorous privacy safeguards around the personal data of autistic Americans.
Disability Rights Implications
An autism registry would likely violate the Americans with Disabilities Act in multiple ways. The ADA prohibits disability-based discrimination, yet centralized health databases have historically enabled exactly that. The 2018 case of Doe v. Michigan demonstrated how easily school systems can misuse individualized education program data when proper safeguards aren’t in place.
Employment discrimination represents another significant risk. Employers might misuse registry information under the Equal Employment Opportunity Commission’s “direct threat” exceptions. This possibility arises despite Supreme Court rulings that have previously limited the viability of defenses like this one. These concerns aren’t hypothetical but reflect real-world patterns of disability discrimination.
Historical Context and Modern Parallels
Dangerous Precedents
History offers sobering lessons about the use of medical registries for nefarious purposes. The 1927 Supreme Court case Buck v. Bell approved forced sterilization using registry data, reflecting the dark era of eugenics in American medicine. More extreme examples, like Nazi Germany’s T4 program, show how health tracking systems can be weaponized against vulnerable populations to extreme degrees.
While such comparisons may seem harsh, they reflect legitimate concerns in the disability community. When governments create systems to identify and track specific populations, the potential for abuse is constant. The recent public outcry against RFK Jr.’s autism registry proposal suggests these historical lessons remain fresh in many minds.
Systemic Contradictions
The registry proposal appears particularly questionable given recent sweeping cuts to healthcare funding. The current administration has cut $1.3 billion from the CDC’s budget and reduced NIH autism research funding by $2.5 billion while advocating for expanded data collection in this case. The cuts undermine the government’s capacity to manage sensitive health information responsibly. A notable example of this issue, which predated the last 100 days, is the 2021 COVID-19 data breach that affected the CDC.
The proposal’s scientific premise also raises concerns. Claims about “curing autism by September” ignore the established medical understanding of autism as a neurodevelopmental difference rather than a disease and minimize the obvious impact of the administration’s targeting and defunding of university-led research initiatives. Meanwhile, chronic underfunding of special education programs leaves schools struggling to meet existing obligations, let alone implement sweeping new initiatives.
Compliance Realities for Healthcare Organizations
Security and Legal Risks
Implementing such a registry would face substantial practical barriers. The HITECH Act’s encryption requirements would strain already underfunded government IT systems. Laws like Illinois’ Biometric Information Privacy Act create significant financial liability for data mishandling, with penalties of up to $5,000 per violation.
The case of Excellus Health Plan illustrates these risks. In 2021, Excellus was fined $5.1 million for HIPAA security failures that exposed patient data. If established healthcare organizations with dedicated compliance teams struggle with these requirements, government agencies operating with reduced budgets would likely fare worse.
Maintaining Standards Amid Political Shifts
This controversy offers important lessons for healthcare providers and organizations handling protected health information. Regulatory environments change with administrations, but privacy risks remain constant. Regardless of political winds, organizations that maintain rigorous compliance standards position themselves best for long-term success.
Documentation of how your company has adopted common-sense compliance standards in similar cases is particularly important. When enforcement priorities shift, thorough records demonstrating consistent compliance provide crucial protection. The HIPAA Wall of Shame, which publicizes major health data breaches, is a constant reminder of the risks involved.
Conclusion: Protecting Privacy in Practice
The swift retreat from the autism registry proposal demonstrates that while imperfect, HIPAA’s protections and public opinion can still prevent or mitigate potential government overreach. It also clearly demonstrates that public vigilance remains crucial in safeguarding medical privacy. For healthcare organizations, the path forward involves treating HIPAA requirements as a baseline rather than a goal. Organizations must develop compliance programs that can withstand political changes and emerging challenges.
The fundamental question isn’t whether the government can access medical data, but whether it should do so without a compelling justification and proper safeguards. Before expanding access, federal agencies (and private companies that handle sensitive health or medical data) should demonstrate that they can protect the health information they already hold. Until then, maintaining strict privacy standards regardless of who currently occupies the Oval Office remains our best defense against overreach and underregulation.