HIPAA, Health Insurance Portability and Accountability Act.
HIPAA doesn't protect your medical privacy at all and your medical data is being shared all over the place with millions of entities and this is explicitly permitted by the law itself.
A lot of people think that HIPAA actually protects their medical information. It doesn't!
So this is the first video in a series that explores medical privacy and it's a doozy. First of all, it's really difficult to get any transparency into the data sharing that goes on in the medical field but I chatted with three people who have managed to get a peek behind the surgical curtain of the behemoth Health Data industry. There's Twila Brace, a nurse and president of a non-profit that fights for medical privacy. There's Rob Frommer, senior attorney with a pro bono Law Firm that is currently fighting the state of New Jersey for unlawful infant Medical data collection, and Keith Smith, co-founder of the Surgery Center of Oklahoma and a practicing anesthesiologist.
What I learned from them and from diving deep into this Rabbit Hole really blew my mind. Essentially, the state of medical privacy is a mess. Throughout this series, we explore electronic health records, their vulnerabilities to hacking, and how they share our sensitive Health Data with government entities and all kinds of other third parties. We uncover how medical practitioners are financially incentivized to collect excess information from you to feed this data machine. We talk about the warehouses of baby DNA being collected at birth in almost all states in the USA without parent consent no this isn't about a conspiracy theory there have already been lawsuits against Texas Minnesota Michigan and New Jersey for this practice and in this video we'll focus on HIPAA understanding what HIPAA actually is and how it came to allow our data to be shared without us even knowing we'll specifically look at how we've been tricked into thinking we had privacy and steps we can take to reclaim control of our medical data.
So let's begin by understanding the history of how HIPAA came to be.
HIPAA, the Health Insurance Portability and Accountability Act of 1996. Clinton, "It offers Opportunity by allowing people to take their health insurance from job to job."
A lot of people don't realize that HIPAA was originally created to make it easier to share medical information for the purpose of insurance. it set the stage for the eventual digitization of Health records, creating standards for the sharing of that electronic data and expanding who is allowed to get access to information without needing patient consent. Twiler Brace, "HIPPA is permissive data sharing rule."
We can learn more about the goals of HIPAA by looking at those who were pushing for it. We'll dive into entities who stood to benefit financially from the digitization and standardization of medical data sharing in the next video. But in this video, I want to focus on the government as an organization that played a huge role in shaping and advocating for HIPAA, like the HHS, or the Department of Health and Human Services. You might not have heard of HHS, but it's one of the largest federal agencies and you've almost surely heard of a bunch of the agencies that fall under their purview. For example, the CDC, or the Centers for Disease Control and Prevention. The FDA, or Food and Drug Administration, and the NIH, or the National Institutes of Health all fall under the HHS. They are also responsible for overseeing Medicare and Medicaid. Given the extensive responsibilities of HHS, the agency has strong incentives to make it easier to collect medical data, to streamline programs, combat waste, and leverage patient information for research and analytics. Before HIPAA, the government's ability to access medical data was more limited and fragmented due to varying State privacy laws. HIPAA would solve this by unlocking medical data that had previously been out of their grasp. But the reason it had previously been more difficult to share medical data was that this information was highly sensitive and personal, and being able to keep it private has long been a cultural expectation. On top of that, it's not meant to be easy for the government to obtain your private information. Checks and balances are essential to protect against abuse of centralized power given that HIPAA has largely undermined patient-doctor confidentiality by broadening permissions for data sharing with third parties. It was meant with concern and a recognition that it had to be counterbalanced with some privacy protections so HIPAA included a provision that said, "Congress had three years to pass comprehensive privacy legislation and if Congress wasn't able to come to an agreement about the language of this privacy legislation in this time there was a backup plan." Twila Brace again, "The US Department of Health and Human Services was required to write a rule if Congress did not pass a Privacy Law." Basically, if Congress couldn't come to a bipartisan consensus on this privacy law within 3 years, then HHS was given the authority to create its own privacy standards. Let me repeat that part. The HHS, the Federal agency that wanted to collect people's medical data was put in charge of writing a law that would also protect people's Medical Data from collection. Isn't that a bit like asking the fox to write the rules for protecting the hen house? We get a sense of HHS's priorities by looking at their recommendations to Congress during this 3-year period. the priority was not privacy. Twila Brace, "They actually talked about the age-old rights of privacy, but then they said that we needed to move away from that to use data for publicly useful purposes. In other words, individuals must sacrifice their privacy for what they call the "common good." Instead of letting patients decide whether their data is shared, HHS recommended doing away with patient consent and replacing it with laws that would allow certain entities to share their information automatically without needing patient approval now the deadline for passing privacy legislation eventually expired, and predictably Congress was unable to agree to a Privacy Law in that time. Twila Brace, "So after 3 years, the US Department of Health and Human Services wrote the rule." The regulation created by HHS, known as the HIPAA Privacy Rule, went into effect in 2003 and it did include some restrictions on who could access medical data under these new permissive laws. "Your doctor giving your boss your health records without your permission that's a HIPAA violation."
Rob Frommer, "What it protects from is like your medical information being given to like your employer with the idea that I might go see a shrink. I don't want my employer to know about it."
Indeed, the most restrictive part of HIPAA is actually the part that consumers themselves come into contact with, which might explain why people think HIPAA improved their medical privacy. I'm sure many of us have had experiences where we've tried to get access to the medical records of a family member only to be told that the hospital can't hand over because it would violate HIPAA. But the reality is that although this rule seems to restrict sharing as a consumer level when you pull back curtain of this privacy theater it's a very different story. Twila Brace, "So HHS when they wrote their rule, they just decimated privacy rights. They gave the data away to all of these other entities."
7:50. So who exactly is allowed to get your information first those who are directly involved with your treatment are naturally going to have access to your data. Twila Brace, "The clinic, the hospital, the laboratory, the Radiology facility, the nursing home, . . ." And then the Privacy Rule goes on to explain under which circumstances these entities are allowed to share your protected health information and with whom. Some of these are what you'd expect: the treatment, the payment, etc. But one of the permitted uses is for something called, "Healthcare Operations." Twila Brace, "The definition of healthcare operations for which your data can be shared is almost 400 words long . . . ." Let's read it. "Healthcare operations means any of the following activities of the . . . ," and she scrolls rapidly. Twila Brace, "It's essentially a list of about 65 non-clinical business activities, so nothing having to do with your medical treatment whatsoever. If your hospital, if your clinic, if your lab chooses to share your identifiable medical information, they can." To be clear, these 65 non-clinical business activities permit PHI, or Protected Health Information, to be shared, meaning medical information is still attached to identifiers, like your name and social security number, and most importantly . . . , Twila Brace, "They're allowed to share the data without patient consent." And you [didn't] even know they were doing it.
9:22. "One of the most criticized aspects of the Federal Health Privacy Rule," as one Yale Journal [page 344] notes, "is its lax restrictions on the use and disclosure of health information for marketing activities."
HIPAA allows a provider to use a patient's health information for marketing activities without obtaining the patient's informed consent. In 2010, there was a modification to the HIPAA privacy security and enforcement rules under the Health Information Technology for Economic and Clinical Health Act, 2009.
Patient Files Opened to Marketers, Fundraisers; Critics Decry Exemptions Won Through Lobbying, Washington Post, January 16th, 2001.
Federal Register The Daily Journal of the United States Government which came after the HITECH Act was passed these rules expanded the scope of HIPAA and broadened the definition of business associates to include all kinds of contractors and subcontractors the healthcare providers and insurers and that's from The Institute for Health Freedom proposed changes to Privacy Rule won't insure privacy September 2010