NAOMI BROCKWELL: HIPAA is legislation that stripped individuals of the right to consent to medical data sharing

HIPAA is legislation that stripped individuals of the right to consent to medical data sharing. States used to have their own laws around medical data sharing. HIPAA replaced most of these laws and decimated privacy rights. It's time to stop normalizing medical surveillance. pic.twitter.com/eZXW6xP6T8

— Naomi Brockwell priv/acc (@naomibrockwell) September 28, 2024

HIPAA, Health Insurance Portability and Accountability Act.   

HIPAA doesn't protect your medical privacy at all and your medical data is being shared all over the place with millions of entities and this is explicitly permitted by the law itself.

A lot of people think that HIPAA actually protects their medical information.  It doesn't!

So this is the first video in a series that explore medical privacy and it's a doozy.  First of all it's really difficult to get any transparency into the data sharing that goes on in the medical field but I chatted with three people who have managed to get a peek behind the surgical curtain of the behemoth Health Data industry.  There's Twiler Brace, a nurse and president of a non-profit that fights for medical privacy.  There's Rob Frommer, senior attorney with a pro bono Law Firm that is currently fighting the state of New Jersey for unlawful infant Medical data collection, and Keith Smith, co-founder of the Surgery Center of Oklahoma and a practicing anesthesiologist. 

What I learned from them and from diving deep into this Rabbit Hole really blew my mind.  Essentially, the state of medical privacy is a mess.  Throughout this series we explore electronic health records, their vulnerabilities to hacking and how the they share our sensitive Health Data with government entities and all kinds of other third parties.  We uncover how medical practitioners are financially incentivized to collect excess information from you to feed this data machine.  We talk about the warehouses of baby DNA being collected at birth in almost all states in the USA without parent consent no this isn't about a conspiracy theory there have already been lawsuits against Texas Minnesota Michigan and New Jersey for this practice and in this video we'll focus on HIPAA understanding what HIPAA actually is and how it came to allow our data to be shared without us even knowing we'll specifically look at how we've been tricked into thinking we had privacy and steps we can take to reclaim control of our medical data.

So let's begin by understanding the history of how HIPAA came to be.

HIPAA, the Health Insurance Portability and Accountability Act of 1996.  Clinton, " it offers Opportunity by allowing people to take their health insurance from job to job."

A lot of people don't realize that HIPAA was originally created to make it easier to share medical information for the purpose of insurance.  it set the stage for the eventual digitization of Health records, creating standards for the sharing of that electronic data and expanding who is allowed to get access to information without needing patient consent. Twiler Brace, "HIPPA is permissive data sharing rule."

We can learn more about the goals of HIPAA by looking at those who were pushing for it. We'll dive into entities who stood to benefit financially from the digitization and standardization of medical data sharing in the next video.  But in this video, I want to focus on the government as an organization that played a huge role in shaping and advocating for HIPAA, like the HHS, or the Department of Health and Human Services.  You might not have heard of HHS, but it's one of the largest federal agencies and you've almost surely heard of a bunch of the agencies that fall under their purview.  For example, the CDC, or the Centers for Disease Control and prevention.  The FDA, or Food and Drug Administration, and the NIH, or National Institutes of Health all fall under the HHS.  They are also responsible for overseeing Medicare and Medicaid.  Given the extensive responsibilities of HHS, the agency has strong incentives to make it easier to collect medical data, to streamline programs, combat waste, and leverage patient information for research and analytics.  Before HIPAA, the government's ability to access medical data was more limited and fragmented due to varying State privacy laws.  HIPAA would solve this by unlocking medical data that had previously been out of their grasp.  But the reason it had previously been more difficult to share medical data was that this information was highly sensitive and personal, and being able to keep it private has long been a cultural expectation.  On top of that, it's not meant to be easy for the government to obtain your private information.  Checks and balances are essential to protect against abuse of centralized power given that HIPAA was largely undermine patient doctor confidentiality by broadening permissions for data sharing with third parties it was meant with concern and a recognition that it had to be counterbalance with some privacy protections so hit the included a provision that said Congress had three years to pass comprehensive privacy legislation and if Congress wasn't able to come to an agreement about the language of this privacy legislation in this time there was a backup plan. Twiler Brace again, "The US Department of Health and Human Services was required to write a rule if Congress did not pass a Privacy Law."  Basically, if Congress couldn't come to a bipartisan consensus on this privacy law within 3 years, then HHS were given the authority to create their own privacy standards.  Let me repeat that part.  The HHS, the Federal agency that wanted to collect people's medical data was put in charge of writing a law that would also protect people's Medical Data from collection. Isn't that a bit like asking the fox to write the rules for protecting the hen house?  We get a sense of HHS's priorities by looking at their recommendations to Congress during this 3-year period.  the priority was not privacy.  Twiler Brace, "They actually talked about the age-old rights of privacy, but then they said that we needed to move away from that to use data for publicly useful purposes.  In other words, individuals must sacrifice their privacy for what they call the "common good." Instead of letting patients decide whether their data is shared, HHS recommended doing away with patient consent and replacing it with laws that would allow certain entities to share their information automatically without needing patient approval now the deadline for passing privacy legislation eventually expired and predictably Congress was unable to agree to a Privacy Law in that time.  Twiler Brace, "So after 3 years, the US Department of Health and Human Services wrote the rule."  The regulation created by HHS, known as the HIPAA privacy Rule, went into effect in 2003 and it did include some restrictions to who could access medical data under these new permissive laws.  "Your doctor giving your boss your health records with out your permission that's a HIPAA violation."  

Rob Frommer, "What it protects from is like your medical information being given to like your employer with the idea that I might go see a shrink.  I don't want my employer to know about it."  

Indeed, the most restrictive part of HIPAA is actually the part that that a consumers themselves coming to contact with, which might explain why people think HIPAA improved their medical privacy.  I'm sure many of us have had experiences where we've tried to get access to the medical records of a family member only to be told that the the hospital can't hand over because it would violate HIPAA.