Exposing HIPAA: The deliberate deception

HIPAA is not a privacy law. This widely held misconception makes HIPAA one of the most pervasive medical deceptions.

HIPAA has become synonymous with medical privacy. However, HIPAA is not a privacy law. (Shutterstock)

HIPAA has become synonymous with medical privacy. However, HIPAA is not a privacy law. This widely held misconception makes HIPAA one of the most pervasive medical deceptions. The reality is, HIPAA is a permissive data sharing rule that enables — not prevents — the sharing of private health information.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was not passed to address privacy concerns in health care. Instead, it was created “with the dual goals of making health care delivery more efficient and increasing the number of Americans with health insurance coverage.” Because HIPAA also expanded digitization and electronic sharing of health data, Congress was required to create standards to protect medical privacy, which led to the 2003 HIPAA Privacy Rule.

However, the now 20-year-old “Privacy Rule” is misleading. The National Library of Medicine states that, “researchers must now follow the provisions of the HIPAA Privacy Rule when obtaining data from a covered entity.” In most people’s minds, the covered entity is the doctor, hospital, clinic, or laboratory they shared their information with. Few imagine that there are more than 700,000 covered entities plus 1.5 million business associates that could have access to a patient’s medical records if the covered entity chooses to share them. Patient consent is not required.

The perception that HIPAA protects privacy gives patients a false sense of security when they enter the exam room. Since the Privacy Rule’s enactment, “privacy advocates and others have argued that the United States needs stronger privacy protections than are provided in the HIPAA Privacy Rule.” Yet, those calling for stronger privacy regulations have been overruled by the powerful corporate and research lobbies that convinced Congress to eliminate patient consent requirements for the sharing of private health information.

Privacy is essential to timely and excellent medical care. When people view their data as unsecure, they will withhold information, harming their ability to receive accurate treatment. Yet, current law ignores the harms that people endure through having their data shared without their consent. Instead, the HIPAA Privacy Rule prioritizes researchers and corporate interests over patients.

What options do patients have to protect their privacy and receive quality care? First, patients can refuse to sign the Notice of Privacy Practices (NPP) acknowledgement statement when they go in for treatment. Signing the acknowledgement statement means that the patient has read or received the Notice of Privacy Practices — which is actually a notice of disclosure practices — not that their data will be kept private. Although some providers may insist otherwise, no law requires patients to sign the NPP acknowledgement statement to receive treatment. Health care facilities must make a “good faith effort” to have patients sign the form; they do not need a signature.

If patients have already signed the Notice of Privacy Practices acknowledgement statement, they can choose to revoke their consent. However, revoking consent does not change the clinic’s or hospital’s right under HIPAA to share your data without your consent. The federally mandated request for a signature is simply part of a ruse to convince you that you have privacy when you have none. It is pure deception.

Until Congress makes changes to HIPAA or states enact medical privacy and consent laws to protect patient privacy more stringently, patients must advocate for their records to remain private. This is not to say that patient privacy will never be achieved. As individuals learn the truth about HIPAA — and the deliberate deception those profiting from patient data have perpetuated — there will be increased pressure on Congress and states to restore true privacy rights that require patient consent before the sharing of any protected health information.

In April, the 20th anniversary of HIPAA, Citizens’ Council for Health Freedom (CCHF) ran a month-long campaign to expose the truth about HIPAA. To learn more about HIPAA or CCHF, visit cchfreedom.org or find us on Facebook.


Natasha Chernyavsky

Natasha Chernyavsky is a legislative and policy specialist for Citizens' Council for Health Freedom.