The Illusion of Medical Privacy

By Naomi Brockwell, Founder and Director of NBTV

In the United States, we have something called HIPAA. Many of you will be vaguely familiar with the term and have surely encountered HIPAA forms at the doctor’s office. If you were to ask the average person what HIPAA is, the broad consensus would be that it’s a law to protect your medical privacy.

But what if I told you HIPAA does nothing of the sort?

What Is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA was designed to facilitate data sharing for health insurance purposes, making it easier for insurers, healthcare providers, and others to exchange patient data without needing patient consent.

Before HIPAA, states had their own laws to handle how medical data was allowed to be shared. HIPAA changed this, setting the stage for the eventual digitization of health records, creating standards for the sharing of that electronic data, and “unlocking” medical data for the benefit of entities such as insurers and government agencies.

Given that this is a permissive data-sharing law, why is it that people have come to associate HIPAA with privacy?

The Big Lie

Traditionally, patients and doctors have always enjoyed a confidential relationship. Our health data is sensitive, so we expect that what we tell our healthcare providers will stay just between us.

Given that HIPAA would undermine this cultural expectation, broadly expanding what kind of patient data is allowed to be shared without needing patient consent, Congress decided that at least some guardrails should be included in HIPAA.

Congress was given three years to pass a “privacy rule”. Basically, if Congress couldn’t come to a bipartisan consensus on this privacy law within three years, then HHS (the Department of Health and Human Services) was given the authority to create their own privacy standards.

You might not have heard of HHS, but it is one of the largest federal agencies. They oversee the Centers for Disease Control and Prevention, the Food and Drug Administration, the National Institutes of Health, and are also responsible for overseeing Medicare and Medicaid as well as countless other departments. Given the extensive responsibilities of HHS, the agency had strong incentives to make it easier to collect medical data—to streamline programs, combat waste, and leverage patient information for research and analytics. HHS was indeed one of the main proponents of HIPAA, playing a huge role in shaping and advocating for it.

Predictably, the deadline for passing privacy legislation eventually expired and Congress was unable to agree on a privacy law in that time, so HHS wrote the rule.

To be clear: HHS, the federal agency pushing for HIPAA so that they could expand the collection of medical data, was put in charge of writing the law that would also protect people’s medical data from collection.

It’s a little like asking the fox to write the rules for protecting the hen house.

What was the result? Definitely not privacy.

HHS’s recommendation to Congress in the lead-up to writing the rule was essentially to do away with the “age-old right to privacy in this new world of progress”.

“Individuals' claims to privacy must be balanced by their public responsibility to contribute to the common good, through use of their information for important, socially useful purposes …”
September 1997, HHS Secretary Donna Shalala
Source

In other words, individuals must sacrifice their privacy for “the common good”. Medical privacy is dead.

“We recommend that the traditional control on use and disclosure of information, the patient's written authorization, be replaced by comprehensive statutory controls on all who get health information for health care and payment purposes.”
September 1997, HHS Secretary Donna Shalala
Source

They insisted that patients should no longer get to decide whether their data is shared, and written authorizations should be replaced with laws that would allow certain entities to share their information automatically, without needing patient approval.

When they finally wrote the rule, which went into effect in 2003, this is exactly what happened.

How Your Data Is Shared

HIPAA outlines circumstances under which your health information, including PHI, may be shared without your consent:

1. To the Individual (unless required for access or accounting of disclosures);

2. Treatment, Payment, and Health Care Operations;

3. Opportunity to Agree or Object;

4. Incident to an otherwise permitted use and disclosure;

5. Public Interest and Benefit Activities; and

6. Limited Data Set for the purposes of research, public health, or health care operations.

It’s worth breaking this down to really understand what it means.

First, PHI means Protected Health Information—sensitive medical information that is still tied to your identifiers, like name and Social Security number. One of the circumstances under which this can be shared, without you ever knowing about it, is for something called “Health Care Operations.”

The definition of the single term “Health Care Operations” alone is 400 words long and includes 65 different non-medical business activities such as marketing, fundraising, and auditing. These are all ways your medical data, identifiable as belonging to you, is shared without your consent or knowledge that have nothing to do with your treatment.

As one Yale journal notes:

“One of the most criticized aspects of the Federal Health Privacy Rule is its lax restrictions on the use and disclosure of health information for marketing activities. The regulation allows a provider to use a patient's health information for marketing activities without obtaining the patient's informed consent.”
Joy L. Pritts, “Altered States: State Health Privacy Laws and the Impact of the Federal Health Privacy Rule,” Yale Journal of Health Policy, Law, and Ethics vol. 2, issue 2 (February 23, 2013)
Source

Then in 2010, there was a modification to the HIPAA Privacy, Security, and Enforcement Rules which came after the HITECH Act was passed. These rules expanded the scope of HIPAA and broadened the definition of “business associates” to include all kinds of contractors and subcontractors for healthcare providers and insurers.

Under this rule, there are now 1.5 million entities that are considered “business associates,” and a total of 2.2 million entities who can get your personally identifiable medical data without your knowledge or consent.

Your data can also be shared in something called a Limited Data Set (LDS). This excludes certain personal identifiers like your name or Social Security number but includes things like your date of birth, zip code, and admission dates.

The Centers for Medicare & Medicaid Services freely admits:

“LDS are considered identifiable even without the specific direct identifiers. ... These data are identifiable because of the potential for identifying a beneficiary due to technology, particularly in linking and reidentifying data files.”
CMS.gov, April 21, 2017

All that stops someone from reidentifying this data is a promise not to:

“The DUA requires data users to promise not to reidentify or contact the subject of the data.”
Institutional Review Board: Management and Function, 2nd ed.

And these LDS can be shared not just with the 2.2 million entities mentioned but with anyone, as long as the data is being used for the broad purposes of research, health care operations, or public health.

Whether your information gets shared with these 2.2 million entities, or with anyone if within a “limited data set,” is officially left up to the ethics and best judgments of those who hold your data:

“Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.”
Source

You will be unable to find out if your data has been shared because, under HIPAA, organizations are not required to provide an accounting of how private health information has been disclosed for the categories mentioned.

The Illusion of Privacy

Despite the explicit data sharing permitted under current U.S. federal laws, we are suffering under an illusion of medical privacy. Why is this?

Perhaps because the most restrictive part of HIPAA is actually the part that consumers themselves come into contact with. I’m sure many of us have had experiences where we’ve tried to get access to the medical records of a family member, only to be told that the hospital can’t hand them over because it would be a HIPAA violation.

On top of that, it is very complicated for organizations to comply with all the ins and outs of HIPAA regulations, and so many people think that the regulation itself is restrictive when it comes to medical data sharing. But this burdensome and bureaucratic theater hides the reality of the situation—that HIPAA is a permissive data-sharing law that overwhelmingly stripped consumers of their right to consent to data sharing. There are millions of entities who can get our medical data, zero transparency into where this data ends up, and no ability for consumers to hold institutions accountable if it falls into the wrong hands. On top of that, the whole system is held together by promises and best judgments. As Keith Smith, cofounder of the Surgery Center of Oklahoma, explained: 

“HIPAA is not about protecting anyone's privacy. HIPAA is about making very clear the extent to which a privacy is going to be violated, and who gets to violate it.”

The most pernicious part about the situation is that no one understands what’s going on. We have an illusion of medical privacy, so no one feels the need to change the status quo.

Twila Brase, President of the nonprofit Citizens' Council for Health Freedom, said that even congressional staffers don’t understand the broad data sharing that HIPAA permits.

“We talked to 22 different congressional offices. And at every office, we asked the health policy staff, what does it mean when you sign that HIPAA form at the clinic? They said, ‘It means that my information is between me and my doctor.’” 

She continued, 

“These are the people advising members of Congress about what's what in healthcare, and they have no idea that HIPAA does not protect their privacy.”

Dr. Smith echoed that if he were to make the same statement, and…

“… there were 10 physicians sitting here ... they would all think I was crazy. What's really scary is none of them would even go check it out.”

HIPAA creates a false sense of security. The complexity of compliance makes it feel like a strict privacy law, but in reality, it facilitates data sharing with minimal transparency.

We’ve been told HIPAA means privacy, and most of us are happy believing the lie.

What We Can Do

So, what can we do? Top of the list is fight for better state privacy laws.

Before HIPAA, states did have their own medical privacy laws, but when HIPAA came along many states conformed their privacy law to HIPAA, eliminating their state privacy protections. For example, before HIPAA, Hawaii had some of the strongest medical privacy laws in the country. When the federal privacy rule was issued in 2001, Hawaii repealed their own privacy statute saying there was “little support” for a state law given the adoption of the federal rule.

Some states, like Minnesota, have stronger privacy laws that require patient consent before disclosing medical information for certain purposes.

(Examples of Model Legislation)

The fact is, if states reclaim their authority to create their own privacy rules around medical data sharing, when the state law adopted is stronger than HIPAA, the state law stands. If more states adopted similar protections, we could significantly curb the overreach allowed by HIPAA. We can put consent of data sharing back into the hands of the patients by pushing for stronger protections at the state level.

Other Actionable Steps:

• Stay Informed. Ask for a paper copy of the Notice of Privacy Practices form you’re handed at the clinic, and read it. Voice your concern if there are things that you don’t agree with. The way that we got into this mess is we all presumed that these practices are standard and not taking advantage of us, but actually, this rabbit hole goes much deeper than we covered in this article. We need to feel comfortable speaking up when we see policies that we disagree with. We may not be able to change these policies immediately, but we won’t get anywhere if we are too afraid to voice our concern.

• Choose Privacy-Focused Clinics. You can also visit jointhewedge.com to find clinics that prioritize your privacy.

HIPAA was never about bolstering privacy. It eliminated many pre-existing state laws that protected privacy and opened the floodgates for sharing patient data without needing consent. We deserve privacy in our medical system. Our health information is sensitive, and we should be allowed to protect it. But instead of a privacy law, we have stripped patients of their right to choose for themselves whether their data is shared.

Maybe you want other entities like researchers to be able to get your data—but it should be your choice. The most important thing we can do is make people aware of what’s going on, to shift culture away from complacency around surveillance, and remind people why privacy is worth fighting for.

Privacy is the foundation of freedom, and if we don’t fight for it, we risk losing our ability to control our most personal data.

A version of this article first appeared in video form on NBTV. NBTV is a non-profit educational platform that teaches people how to reclaim control of their lives in the digital age. They give people the tools they need to take back their privacy, money, and free online expression.

Learn more at NBTV.media