25 HIPAA HARMS:  How HIPAA impacts patient privacy rights

The Health Insurance Portability and Accountability Act (HIPAA) was signed on
August 21, 1996.  To show how little privacy you have, here are

25 ways HIPAA harms you.

Protect your Rights!

MYTH: HIPAA protects your medical privacy

FACT: HIPAA eliminated patient consent requirements and potentially opens your medical records to 2.2 million entities, plus government agencies.

MYTH: Signing the form or statement about the clinic's or hospital's "Notice of Privacy Practices" (NPP) means your medical information will be kept private.

FACT: The form regarding the NPP is only an acknowledgement that you have read the form, and therefore understand that you have NO privacy rights, and that your information can be broadly shared without your consent. You are NOT required to sign it (see below). NOTE: whether you sign the form/statement or not signing does not protect your privacy. If you read the NPP, you'll understand that your signature acknowledges that you know you have no privacy.

MYTH: The federal HIPAA law and and its "privacy rule" are the highest laws of the land and have the final say on whether patient data can be shared or must be protected.

FACT: State medical privacy laws are the highest laws. Your data can be broadly shared under HIPAA unless your state legislature has enacted a real privacy law. HIPAA's "permissive sharing" law is superceded by most state medical privacy laws.

(Contact CCHF if you're denied treatment)



Click this link (or look below) to see the exact section of the federal HIPAA privacy rule that only requires your clinic or hospital to make a good faith effort to obtain your signature on the form. They can't require it.

See below for how to get your own HIPAA "not required to sign" card to give to your clinic or hospital. 



1) Exercise your rights under the law not to sign the "HIPAA privacy form" or the Notice of Privacy Practices acknowledgement statement on many clinic and hospital consent forms.

2) Refuse to participate in perpetuating the deception that the HIPAA form or the Notice of Privacy Practices statement protects your privacy.

3) Enlighten the clinic and hospital staff on the truth about HIPAA and your right not to sign.

4) Prevent the clinic from waving the signed form under your nose and claiming that you should have known when you complain after learning they shared your confidential data without your consent.

5) You will help CCHF move the nation toward the truth about HIPAA and its eventual repeal (and restoration of patient consent, personal control, and ownership rights to one's own medical and genetic data)

OUR CAMPAIGN IS WORKING: While most clinic staff firmly believe you have to sign it to receive treatment, and most think HIPAA protects your privacy, the federal government has now issued a document which says you don't have to sign it and they still have to treat you. That's why you should take this federal document with you

THEY STILL HAVE TO TREAT YOU (Screenshot of Federal form): 


Submit Your HIPAA Story to CCHF

Federal law and rule

Click here for a printable one-page flyer to share with others - "HIPAA: The Grand Deception"

For 12 personal stories of those who refused, see our report: The HIPAA Privacy Deception

Click here to file a complaint if you feel your health information privacy rights were violated:  HHS OCR

If you would like a wallet card to carry with you and share when necessary, we send one card out to anyone who asks. If you would like to have multiple copies, we request a donation of any size to help cover printing costs. Mail your donation (with a note of how many wallet cards you would like to have sent to you) to: CCHF, 161 St. Anthony Ave, Ste 923, Saint Paul, MN 55103. even says that you don't have to sign it. See red arrow added by CCHF below.


GOOD FAITH EFFORT - THE RULE: The federal privacy rule only requires that the clinic or hospital make a good faith effort to obtain your signature on the form. Your signature is not required and cannot be compelled. Although the following document was released in October 2002 prior to the April 14, 2003 effectiveness date, this language remains in effect. It has not been altered over time:



** New in 2019 ** Click here to view the CMS Process for processing HIPAA complaints **



No Privacy Rights: Contrary to popular belief, signing the "HIPPA privacy form" does not provide you with privacy or consent rights.

HIPAA is permissive, giving 2.2 million entities, plus government access to your medical records without your consent. Your signature is simply an acknowledgment that you have understood that your data will be broadly shared; that you have received and understood the clinic or hospital's "Notice of Privacy Practices" form, which can best be described as a "Notice of Data DISCLOSURE Practices." 

The form could be used against you if you ever declare that your privacy rights have been violated. If signed, the clinic or hospital may simply point to your signature and tell you that you knew that your private data was going to be shared broadly. But do not, as shown in the notice above (bullet point #3) that they can share your information broadly with or without your signature.

Patient Consent Requirements Eliminated: The Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) eliminated longstanding legal written informed patient consent requirements for the sharing of private medical data.

Thus, the U.S. Department of Health and Human Services notes in the final rule that approximately 600,000 entities, plus their business associates, may now be given access to your private medical data without consent. Then in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act became law, adding 1.5 million "business associates" to those who could peer into medical records without patient consent. In all, more than 2.2 million entities are allowed to access private medical records according to the federal government. But the list doesn't include local, state and federal government also given access without consent if there's a "need to know" under the rule.

Thus, the federal "privacy" Notice simply informs you about the purposes for which your health data can be shared broadly without your consent and the types of entities with whom it may be shared.

State Law can Protect. The federal HIPAA law allows state privacy laws that truly protect privacy to supercede the federal law. Where more protecting, the state law must be followed. Thus, as the Mayo Clinic notes on their 2011 updated Notice of Privacy Practices, certain state laws (e.g. Minnesota, Iowa and Florida) may protect your health privacy where the federal privacy rule does not.

To be clear, the federal privacy rule does NOT protect your privacy. It actually opened your medical records to outsiders and allowed your private data to be computerized and placed online in anticipation of creating State Health Information Exchanges (HIEs) and a National Health Information Network (NHIN), now called the eHealth Exchange. The NHIN was given approximately $35 billion in the HITECH Act section of the American Recovery and Reinvestment Act of 2009 ("stimulus" bill). To get a sense of where Health IT is headed, read the Jan. 2010 Interview with David Blumenthal on NHIN (InformationWeek).

Actions, Opportunities and Warnings:

Resist Conforming State Law to HIPAA: State lawmakers must enact real privacy protecting law. They must also avoid any and all attempts to conform State law with the federal HIPAA "privacy" Rule (45 CFR Part 160, 164). Such laws may void current State privacy laws or eliminate the possibility of enacting strong truly protective State health privacy laws in the future.

Take a Stand at Your Clinic: To assert your right to refuse signing the Notice, you may simply refuse to sign the Notice of Privacy Practices section on the consent form. You may cross out the Notice of Privacy Practices section and refuse to sign it. You may refuse to sign it even if they ask you to sign that you refused to sign it. You may also file a complaint with the Office of Civil Rights at the U.S. Department of Health and Human Services if you believe your rights have been violated.

Warning Before You Act: Some clinics are now incorporating the Notice within their consent for treatment forms. You may choose to cross out the lines related to the Notice of Privacy Practices. Keep in mind that most clinic staff believe the document actually protects privacy. This is your opportunity to educate them. Feel free to copy and share the federal language in the documents accessible on this web page.

Please Notify CCHF: If your clinic refuses to treat you because you refuse to sign the form (we continue to hear stories from people whose clinics refuse to treat them if they don't sign the form), please notify CCHF in writing with the details of your encounter. We will contact you if we'd like to share your story.