20 HIPAA Harms

How HIPAA impacts patient privacy rights

In April, 2003, the “HIPAA Privacy Rule” went into effect. 20 years later we see the harms of the law that eliminated patient privacy rights.

  1. HIPAA permits your health records, tests, diagnoses, and doctor’s notes to be shared between physicians and hospitals without your knowledge, making it nearly impossible to get an unbiased second opinion. (§164.506)

2. Hospitals can contact and share patient information with organ procurement companies without the consent of you or your dying loved one. Companies can review medical records and come to your hospital room without warning to seek organ donation—unless a state law prohibits it. (§164.512)

3. HIPAA permits health plans and the government to access private health information without patient consent for many different purposes. (§164.512)

4. HIPAA permits 2.2 million entities to access your medical record information if the entity holding your information decides to share it. (Federal Register, Vol. 75, No. 134, July 14, 2010 (see pages 40872, 40906, 40907, 40911)

5. HIPAA permits disclosure of your private health information for many different purposes having nothing to do with your treatment. (§164.512 / “health care operations”)

6. HIPAA does not allow you to restrict access to your health information. You may request restrictions, but there is no obligation to honor your request. (§164.520)

7. Under HIPAA, physicians that refuse to follow government-standardized protocols for treatment can be penalized. (§164.506 / Quality Measurement, PQRS, MIPS)

8. As a result of >50,000 public comments, HIPAA originally required patient consent for sharing data for treatment, payment, and health care operations. In 2001, the industry successfully lobbied to eliminate consent. (HIPAA Proposed Rule, 2002 – Federal Register/Vol. 67, No. 59)

9. HIPAA permits researchers and Big Data to use your medical and genetic information for research without your knowledge or consent. (§164.512)

10. “You can’t force a covered entity to give your data to someone you choose, and you can’t stop them from giving it to someone they choose.” (David Brailer, former National Health IT Coordinator, Healthcare IT News, May 1, 2015)

11. Patient information can be shared for public health and health oversight activities, judicial and administrative proceedings, law enforcement purposes, and “research” without your consent(§164.512)

12. “HIPAA is often described as a privacy rule. It is not. In fact, HIPAA is a disclosure regulation, and it has effectively dismantled the longstanding moral and legal tradition of patient confidentiality.” (Dr. Richard Sobel, Associate, Du Bois Institute, Harvard University)

13. HIPAA allows those who hold medical information to share it with the government, allowing government agencies to gather private patient data without consent.

14. HIPAA allows research without patient consent despite only 1% of people being comfortable with non-consensual research. (Wendy K. Mariner)

15. Patient data that is “deidentified” under the HIPAA deidentification standard or provided as a “limited data set” could be reidentified, according to the U.S. Dept. of Health and Human Services. (§164.528)

16. The federal HIPAA Administrative Simplification Regulation is 115 pages long and contains over 67,000 words – yet “consent” is only mentioned 17 times, and rarely about data-sharing.

17. The title of “Privacy Rule,” misleads most state legislators who think HIPAA protects privacy so they don’t enact stronger state medical privacy laws. (§160.202)

18. Clinics and hospitals are not required to give you an accounting of most disclosures of your information —unless state law requires it. (§164.528)

19. A 2010 Black Book survey of 12,900 consumers found that 87% of patients were unwilling to divulge all their medical information and 89% reported withholding information during visits with their provider.

20. Google’s “Project Nightingale’ collects data on millions of American using health records provided by Ascension facilities in 21 states (HIPAA “health care operations” and “business associate agreements”)

To view document or print “20 HIPAA Harms,” please click the “Download PDF” link.

Pin It on Pinterest