YOU ARE NOT REQUIRED

TO SIGN HIPAA "PRIVACY" FORMS

Click this link (or look below) to see the exact section of the federal HIPAA privacy rule that only requires your clinic or hospital to make a good faith effort to obtain your signature on the form. They can't require it.

Click here for a printable one page flyer to share with others - "HIPAA: The Grand Deception"

By federal law and rule, you are not required to sign the clinic's or hospital's federal HIPAA "Privacy" form...even if the clinic or hospital tries to insist that you must.

HHS.gov even says that you don't have to sign it. See red arrow added by CCHF below.

TAKE THIS WITH YOU TO THE DOCTOR'S OFFICE:

 

The federal privacy rule only requires that the clinic or hospital make a good faith effort to obtain your signature on the form. Your signature is not required and cannot be compelled. Although the following document was released in October 2002 prior to the April 14, 2003 effectiveness date, this language remains in effect. It has not been altered over time:

 

 

No Privacy Rights: Contrary to popular belief, signing the "HIPPA privacy form" does not provide you with privacy or consent rights.

HIPAA is permissive, giving 2.2 million entities access to your medical records without your consent. Your signature is simply an acknowledgment that you have understood that your data will be broadly shared; that you have received and understood the clinic or hospital's "Notice of Privacy Practices" form, which can best be described as a "Notice of Data DISCLOSURE Practices." 

The form could be used against you if you ever declare that your privacy rights have been violated. If signed, the clinic or hospital may simply point to your signature and tell you that you knew that your private data was going to be shared broadly. But do not, as shown in the HHS.gov notice above (bullet point #3) that they can share your information broadly with or without your signature.

 

No Consent Requirements: The Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) eliminated longstanding legal written informed patient consent requirements for the sharing of private medical data.

Thus, the U.S. Department of Health and Human Services notes in the final rule that approximately 600,000 entities, plus their business associates, may now be given access to your private medical data without consent. Then in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act became law, adding 1.5 million "business associates" to those who could peer into medical records without patient consent. In all, more than 2.2 million entities are allowed to access private medical records according to the federal government.

Thus, the federal "privacy" Notice simply informs you about the purposes for which your health data can be shared broadly without your consent and the types of entities with whom it may be shared.

 

State Law can Protect. The federal HIPAA law allows state privacy laws that truly protect privacy to supercede the federal law. Where more protecting, the state law must be followed. Thus, as the Mayo Clinic notes on their 2011 updated Notice of Privacy Practices, certain state laws (Minnesota and Iowa) may protect your health privacy where the federal privacy rule does not.

To be clear, the federal privacy rule does NOT protect your privacy. It actually opened your medical records to outsiders and allowed your private data to be computerized and placed online in anticipation of creating State Health Information Exchanges (HIEs) and a National Health Information Network (NHIN), now called the eHealth Exchange. The NHIN was given approximately $35 billion in the HITECH Act section of the American Recovery and Reinvestment Act of 2009 ("stimulus" bill). To get a sense of where Health IT is headed, read the Jan. 2010 Interview with David Blumenthal on NHIN (InformationWeek).

 

Actions, Opportunities and Warnings:

Resist Conforming State Law to HIPAA: State lawmakers must enact real privacy protecting law. They must also avoid any and all attempts to conform State law with the federal HIPAA "privacy" Rule (45 CFR Part 160, 164). Such laws may void current State privacy laws or eliminate the possibility of enacting strong truly protective State health privacy laws in the future.

Take a Stand at Your Clinic: To assert your right to refuse signing the Notice, you may simply refuse to sign the Notice of Privacy Practices section on the consent form. You may cross out the Notice of Privacy Practices section and refuse to sign it. You may refuse to sign it even if they ask you to sign that you refused to sign it. You may also file a complaint with the Office of Civil Rights at the U.S. Department of Health and Human Services if you believe your rights have been violated.

Warning Before You Act: Some clinics are now incorporating the Notice within their consent for treatment forms. You may choose to cross out the lines related to the Notice of Privacy Practices. Keep in mind that most clinic staff believe the document actually protects privacy. This is your opportunity to educate them. Feel free to copy and share the federal language in the documents accessible on this web page.

Please Notify CCHF: If your clinic refuses to treat you because you refuse to sign the form (we continue to hear stories from people whose clinics refuse to treat them if they don't sign the form), please notify CCHF in writing with the details of your encounter. We will contact you if we'd like to share your story.