Viewpoint: 22 years of HIPAA, 22 ways HIPAA creates lapses in patient privacy

Former President Bill Clinton signed HIPAA into law 22 years ago on Aug. 21, 1996.

The law was designed to afford patients' a right to access their own health data, as well as establish various safeguards to ensure organizations that handle sensitive information protect patients' privacy. However, the right-wing nonprofit Citizens' Council for Health Freedom argues HIPAA does the opposite.

Here are 22 ways the organization claims HIPAA hurts patients:

1. HIPAA allows for physicians and hospitals to share health records, tests, diagnoses and physician notes between one another without patients' knowledge, which the group argues makes it "nearly impossible to get a truly unbiased second opinion."

2. HIPAA permits scientists and researchers to use patients' medical and genetic information for research without prior knowledge or consent.

3. Under HIPAA, health plans and government organizations can access patients' private health information without first getting consent.

4. Nearly 2.2 million entities can access patient health information if the entity holding the information — such as a hospital — first permits it.

5. The law allows for organizations to disclose health information for various purposes, including some that aren't related to patient treatment.

6. HIPAA does not allow patients to restrict access to their health information. Instead, it allows patients to request restrictions, although clinics and hospitals are not obligated to honor the requests.

7. HIPAA permits information sharing as part of its push for "one-size-fits-all" diagnostic tests and treatment procedures, and physicians that refuse to follow these standardized protocols can be penalized.

8. According to the Citizens' Council, "as a result of [more than] 50,000 public comments, HIPAA originally required patient consent for sharing data for treatment, payment and health care operations, [but] in 2001, the industry successfully lobbied to eliminate consent."

9. Under HIPAA, hospitals can contact and share patient information with organ procurement companies without consent. These companies can review medical records and come to patient hospital rooms without warning to push organ donation. However, some state laws prohibit this.  

10. The Citizens' Council cited the following quote from former National Health IT Coordinator David Brailer: "You can't force a covered entity to give your data to someone you choose, and you can't stop them from giving it to someone they choose."

11. Patient information can be shared for public health activities, health oversight activities, judicial and administrative proceedings, law enforcement purposes and research without prior patient consent, although some state laws prohibit this.

12. Citizens' Council points to a map of data sharing before HIPAA to demonstrate the lack off data exchange activity prior to the legislation going into effect.

13. Citizens' Council points to a map of data sharing after HIPAA to demonstrate the now widespread data exchanging activity between various healthcare stakeholders.

14. Only four states — Minnesota, Florida, Georgia and Iowa — have enacted strong medical privacy laws to supplement regulation established under HIPAA.

15. Hospitals are not required to disclose to patients whether their information was shared for payment, treatment or other healthcare operations unless state law requires it.

16. HHS allows patient data that has been deidentified under HIPAA standards to be reidentified.

17. The federal HIPAA Administrative Simplification Regulation only mentions "consent" 17 times — and rarely in terms of data-sharing — in its 115 pages.

18. Richard Sobel, PhD, a political scientists at the research organization Ronin Institute, has said: "HIPAA is often described as a privacy rule. It is not. In fact, HIPAA is a disclosure regulation, and it has effectively dismantled the longstanding moral and legal tradition of patient confidentiality,"  according to the Citizens' Council.

19. Although HIPAA allows the use of patient data for research without patient consent, "only 1 percent of [patient] respondents were willing to allow researchers to use their personal information without their consent… Thirty-eight percent wanted the right to consent to or refuse each use, while 13 percent would not allow research use under any circumstances," Wendy Mariner, a law professor at Boston University, has said, according to the Citizens' Council.

20. Citizens' Council cited a 2010 Black Book survey of 12,900 consumers that found most patients (87 percent) were unwilling to disclose all their medical information to their provider. Moreover, 89 percent reported withholding information during visits with their provider.

21. Refusing or choosing to sign the HIPAA Notice of Privacy Practices form has no impact on permitted data-sharing under HIPAA.

22. Citizens' Council calls on patients to not sign the HIPAA Notice of Privacy Practices form, and notes a patient cannot be refused treatment for not signing it. The organization added it wants patients to call their state legislators to pass stronger state medical privacy laws.

Click here to read Citizens' Council's complete list of patient harms under HIPAA. 

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars