CCHF to Congress: Repeal HIPAA "Privacy Rule" and Restore Patient Consent Rights

ST. PAUL, Minn. — As public officials and private businesses propose ‘vaccine passports’ for all Americans, citizens can be heard asking, “What about HIPAA? Doesn’t HIPAA protect us?”

In this, the 25th year since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted, the Citizens’ Council for Health Freedom (CCHF) has a message for Congress: Repeal the “HIPAA privacy rule.”

In a letter dated April 14, 2021, the 18th anniversary of the day the Standards for Privacy of Individually Identifiable Health Information (“HIPAA privacy rule”) became effective and enforced by the U.S. Department of Health and Human Services, CCHF asked Senate Majority Leader Chuck Schumer, Senate Minority Leader Mitch McConnell, House Majority Leader Steny Hoyer, and House Minority Leader Kevin McCarthy to introduce legislation that:

• Rescinds the 2003 federal rule officially titled, “Standards for Privacy of Individually Identifiable Health Information” and all its amendments.

• Imposes informed, written, voluntary patient consent for the sharing of patient information.

“The title, HIPAA privacy rule, is a ‘misnomer,’ wrote Twila Brase, president and co-founder of Citizens’ Council for Health Freedom. “HIPAA is not a privacy rule. It is considered a permissive data-sharing rule. As David Brailer, former Coordinator of the Office of the National Coordinator of Health Information Technology once said, ‘You can’t force a covered entity to give your data to someone you choose, and you can’t stop them from giving it to someone they choose.’”

The letter notes another HIPAA regulation, written in 2010 by the U.S. Department of Health and Human Services, which provides a list of the more than 700,000 ‘covered entities,’ such as hospitals, clinics and health plans, and their 1.5 million businesses associates. These 2.2 million entities are permitted to access, share and use patient-identifiable data without patient consent if the covered entities, which hold the patient’s data, choose to share it.

“Patients wrongly believe that HIPAA protects their privacy,” said Brase. “In the current Covid-19 pandemic, they also wrongly believe HIPAA prevents the creation of or demand for vaccine passports. But HIPAA only regulates ‘covered entities and their business associates. It doesn’t regulate government or other businesses that may have to patient information. Furthermore, even for those it does regulate, it’s a permissive sharing rule. There are few limits on data-sharing or use. HIPAA doesn’t protect privacy, it eliminated it.

Brase says the 25th anniversary of HIPAA signals the right time to eliminate HIPAA and restore patient consent requirements for all Americans.

“HIPAA is one of the largest deceptions ever foisted on the American people. “In our letter to Congressional leadership, we asked them to pass a bill that requires the rule to be rescinded, establishes real patient privacy rights and restores patient consent requirements.”

Brase says state legislatures also have the power to undo HIPAA for their own constituents. However she believes most of them also think HIPAA protects privacy and therefore they have little reason to introduce state-level privacy legislation.

“If Congress refuses to protect the privacy of Americans, state legislators must act,” says Brase. “HIPAA’s state preemption provision requires a stronger state law to be followed. State legislators can protect their constituents from HIPAA by passing a real state medical privacy law that requires patient consent for the disclosure, sharing and use of patient information.”