The federal government is asking for input to improve the so-called “privacy” law for medical records and information, the Health Insurance Portability and Accountability Act of 1996, or HIPPA.
A good first step, according to a medical privacy expert, would be to actually ensure the privacy of medical records.
In a 14-page comment to the government, the advocacy group Citizens Council for Health Freedom contend the rule “isn’t about privacy at all.”
“We support the right of patients to keep their private medical information confidential, thus we have long opposed HIPAA due to its intrusion on the patient-doctor relationship and its infringement of privacy rights,” said Twila Brase, CCHR president, in a letter to HHS Secretary Alex Azar.
“Our opposition continues today and has only grown.”
The Office for Civil Rights in the U.S. Department of Health and Human Services has issued a “Request for Information” on how to modify HIPPA rules to help “coordinated care.”
Brase cited an explanation of the law by David Brailer, the first National Coordinator of Health IT.
He said that, under the law, “You can’t force a covered entity to give your data to someone you choose, and you can’t stop them from giving it to someone they choose.”
In short, the “privacy” law allows health organizations to freely exchange patient information and in many cases even generate revenue by selling it.
“HIPAA’s primary focus is not privacy; it is security of the data before, after and while patient’s privacy is being violated, which is what happens when the patient’s data is disclosed and used without the patient’s consent,” Brase explained.
“If privacy were the focus, the HHS ‘Wall of Shame’ would be littered with documentation of all the times patient privacy is violated every day. HIPAA does not protect the patient data the way patients think it does or in the way patients define and interpret the word ‘privacy.’
Brase said that instead of “requiring patients to sign a statement that wrongly convinces them that their data is held in confidence, OCR should have practitioners and institutions make a good faith effort to have patients sign a form/statement that faithfully and ethically shares the truth about HIPAA.”
Her organization, she said, has been engaged in a two-decade campaign to inform Americans that despite what they’ve long been told by the news media, government agencies, health plans, legislators, Congress, hospitals and doctor’s offices, HIPAA is not a privacy rule.
And it gives outsiders legal license to share, use, link and sell patient details, empowering corporations to profit from patient information without consent.
Brase said the government’s vague language is part of the problem.
For example, the government proposed: “The Privacy and Security Rules limit the circumstances under which covered entities may use and disclose PHI [protected health information] and require covered entities to implement safeguards to protect the privacy and security of PHI.”
Brase argued that many Americans will read “limit the circumstances” and think it means their instances warranting disclosure of their records are rare.
“However, there are relatively few circumstances in which patient data cannot be shared, used, disclosed, compiled, analyzed, dissected, and if stripped of 18 identifiers, sold or given away,” she said.
“These uses and disclosures are permitted without patient consent under the broad definitions of payment, treatment and ‘health care operations’ as well as the deidentification standard, the 12 national priority purposes, the treatment exemption to the ‘minimum necessary’ requirement, and more.”
CCHF proposes renaming the rule “Standards for Disclosing and Using Patient Data Without Patient Consent.”
The “notice” should be called “Notice of Permitted Data Disclosures Without Patient Consent.”
And patients should be asked to sign a statement like this: “I understand that the federal HIPAA regulation permits sharing and use of my personally-identifiable health information without my consent, including to the government and various corporations for non-clinical and other purposes. I further acknowledge that I have received a copy of the Notice of Permitted Data Disclosures Without Patient Consent and I have reviewed the federal purposes and definitions that permit data sharing without my consent – unless a stronger state medical privacy law exists to prevent such uses and disclosures. Finally, I acknowledge that I have reviewed my right to request restrictions on data sharing and that my provider must provide me with a form to do so at my request, but that my provider is allowed to agree or refuse to agree to my request for restricted sharing of my information and must inform me of such agreement or refusal, or future changes in such an agreement.”
Other upgrades would include banning doctors from telling patients that HIPAA is a privacy rule. Doctors should say it is a data-disclosure rule that allows disclosures of their personally identifiable information without their consent.
Or, much more simply, the government could “restore the patient privacy and consent rights that were in place pre-HIPAA,” the letter said.