YOU can protect YOUR health data

Good news Minnesotans — Minnesota has some of the strongest health data privacy laws in the united States. MN’s medical privacy law is better than HIPAA.

Bad news…they are not strong enough to practically protect your health data, especially with HIPAA around. Read the truth about the HIPPA “privacy rule.”

HIPAA was a hot topic in discussion of ADPPA by House Energy and Commerce Committee members. Each time it was used incorrectly to be an example of strong, effective privacy protection. Either these lawmakers are not aware that HIPAA does not protect privacy or this bill is intended to increase the flow of personal health information beyond the doctor’s office.

These lawmakers need your help. It is critical that we do not allow the federal government to have a monopoly on data privacy. Send a letter to your lawmaker telling them, “No preemption or no privacy law!”

Step One: Take action now to tell the U.S. Congress that Americans shouldn’t compromise on privacy.

We have all been led to believe the HIPAA law was passed to protect us, when in fact, HIPAA allows our health data to be shared with over potentially 2.2 million private and government entities! HIPAA harms you in at least 25 ways.

“The MN Health Records Act (144.291 to 144.298) requires written patient consent for sharing patient information for: treatment, payment, “health care operations” (i.e. analytics/fundraising), medical research, military personnel, law enforcement, funeral directors, & national security activities.” HIPAA permits sharing for all of these WITHOUT CONSENT.

Citizens’ Council for Health Freedom

There are laws we must pass in Minnesota to change the way HIPAA forms are being handled, and ensure that informed consent is no longer being withheld, and change the way providers are sharing your data regardless if you sign the HIPAA forms or not…but in the meantime, legislators repeatedly attempt to repeal the health data privacy laws we DO have in Minnesota.

“One section of HIPAA regulations (45 CFR 164.512) is solely dedicated to ways that protected, identifiable health information can be used without your consent. It is called: “[U]ses and disclosures for which an authorization or opportunity to agree or object is not required.”[iv] This section includes sweeping access to identifiable health information for use in public health or law enforcement, government or court-ordered investigations and hearings, solicitation of organ donation, research purposes, national security, and some employment circumstances. It does not stop there, however, because other permissible disclosures and uses are listed in other sections of the law.

No one can explain the dangers of HIPAA to informed consent better than privacy expert and nurse Twila Brase, R.N., who truly wrote the book on health privacy titled “Big Brother in the Exam Room.” She revealed the twisted truth about HIPAA in an interview with SHF Director and Co-Founder Leah Wilson. Her printable resource “25 Ways HIPAA Harms” lists ways your data can be used without your consent, how HIPAA gets in the way of getting an accurate second opinion, and how it stops individuals from restricting the use of their health data even from companies like Google.

It’s powerful intel to understand that HIPAA used as a point of reference in a privacy law is a huge red flag. You know right away the law is not about privacy, it’s about data flow. Any legislator citing HIPAA as a standard for privacy is either misinformed or showing their stripes. In either situation, there’s an opportunity to educate both legislators and voters about the true nature of the hand of the federal government in health privacy.” – Stand for Health Freedom

States are the solution to health privacy concerns.

“What is the solution to stopping the snowball of HIPAA data disclosures from becoming an avalanche that buries privacy? The answer is state law. Protecting privacy has traditionally been an area of state, not federal, law. The federal government had no reason to enact privacy standards until they started obtaining personal information on citizens.

States enact confidentiality laws that protect your health data. Some states have been able, with the help of health advocates, to protect citizens from HIPAA by enacting stronger state law. This is why it is extremely important to prevent federal law from overriding state law (a process known as preemption).

Unlike the federal government, states are not pressured to please companies and organizations from across the globe. States can tailor their laws to the needs of their citizens and negotiate with those doing business within their boundaries without having to dilute protections to please every party. Corporations may complain that a patchwork of state law drives up the cost of doing business out of complexity, but that argument is akin to putting lipstick on a pig. It’s a distracting and disingenuous argument to say global companies cannot accommodate state laws. States will not try to drive companies out of business when they weigh individual fundamental rights against the benefits of having a strong business community in their state. Nothing stops a business from adopting the highest standards of privacy protection to minimize adaptations of doing business in different states. The United States Constitution was written to protect the fundamental rights of individuals against tyrants holding the purse strings.

Taking away the right of the states to legislate privacy protections would force citizens to fight violations with one hand tied behind their backs. The varying approaches of the states will inevitably lead to the best outcome to balance the most interests: It’s a check on the power of Big Data and Big Tech. But if the federal government has a monopoly on privacy law, the richest companies in the world have one-stop shopping for their legislative agendas.

It’s no surprise, then, that Big Data and Big Tech (and any congressperson aligned with them) do not support federal data privacy protection law unless it overrules state law.

Despite massive government overreach into our private health data, it’s not too late to stand up for privacy. The government would not be trying to pass laws to modernize public health data if they had access to all they need. Immunization records, for example, stand in state silos of information. It’s up to us to encourage strong state laws and to stop the federal government from overriding them.” – Stand for Health Freedom

Corporations want YOUR data for their profit. Groups like the Chamber of Commerce, MN Business Partnership, health plans, and hospitals support the repeal of our MN privacy law. They may use your data to profile patients and doctors, ration care, and they profit from doing so… 

The health care industry’s market for analyzing and storing health information is valued at more than $7 billion annually.”

Advisory Board, 11/28/2018

These greedy corporations tell our legislator that “Minnesota needs to conform with the HIPAA standard.” But that is not the whole truth. When Congress enacted the HIPAA law in 1996, the law and its Rule allowed States to enact stronger privacy laws (45 CFR §160.203(b)). Per HIPAA, any state law that is stronger than HIPAA must be followed.

“Although MN’s privacy law is the best…other states are enacting “better than HIPAA” privacy laws [too]: 42 states, including MN, allow patients to opt-in or opt-out of government-sponsored HIEs, Florida requires consent for sharing data for health care operations (HCO) and 14 states require consent to disclose mental health records for payment, treatment, and HCO.”

Citizens’ Council for Health Freedom

We must ward off these attacks from legislators who are influenced by these corporations, while we work on a long-term solution to stop our data from being shared.

What does September 11, 2001, have to do with health privacy? In a word, surveillance. The laws that were enacted after the 9/11 attacks ushered in a new era of federal reach into our lives.

You read about HIPAA and the huge amounts of health data being collected, stored, and transferred. Part 2 of the health privacy story is about federal overreach and how we can save our right to privacy.

The War on Terror became a war on privacy.

“What does September 11, 2001, have to do with health privacy? In a word, surveillance. The laws that were enacted after the 9/11 attacks ushered in a new era of federal reach into our lives. The shock of the attack on American soil and the thousands of lives lost allowed tyrannical laws like the PATRIOT Act and Project Bioshield to sail through Congress as Americans grieved and tried to manage daily life amidst a national emergency. Project Bioshield set the stage for the Emergency Use Authorization pharmaceuticals that are now so widely known.

See article:

Is the Government Weaponizing Data?

The War on Terror declared by George W. Bush after the 9/11 attacks quickly morphed from a fear of bad actors to a fear of disease. In the month after the attacks, anthrax-laced letters were sent through the U.S. Postal Service to media outlets and two senators. Five Americans died and 17 others fell ill but recovered. The letters shut down Congress, which hastened emergency passage of the bill without much scrutiny.

The PATRIOT Act (Uniting and Strengthening American by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism), a 300-plus-page document, passed U.S. Congress with bipartisan support just five weeks after September 11th. The law was reauthorized in 2006 and amended in 2015.

The PATRIOT Act allowed the federal government the ability to place innocent Americans under surveillance in the name of safety in a way that had never before been allowed on American soil. As an example, former president Bill Clinton attempted to strengthen wiretap authority of the federal government after the 1995 Oklahoma City bombing, but “Congress refused, mainly because many felt loosening surveillance and records rules was unconstitutional.”[iv]

In 2002, the Homeland Security Act was passed, creating the Department of Homeland Security (DHS). DHS “boasts the first statutorily required privacy office within a federal agency.”[v]

HIPAA’s Privacy Rule was passed on April 14, 2003.

The Intelligence Reform and Terrorism Prevention Act of 2004 created the Office of the Director of National Intelligence (ODNI).

Fear of another attack and of secretive terrorists who could live among us brought the walls of privacy down in America. In exchange for a feeling of security, people were willing to ignore or accept levels of government surveillance that would have previously been unthinkable.

The CDC buys cell phone data and the DHS has an Office of Health Safety.

At a July 2022 U.S. Congressional hearing on the American Data Privacy and Protection Act (ADPPA), one lawmaker highlighted the importance of privacy in health by describing the CDC’s purchase of location data to track lockdown compliance and for other “numerous CDC priorities.”[vi] [vii] She cited the activity as a reason to pass the federal privacy legislation, but with HIPAA as an exception carved out in this bill, the CDC would not be affected because HIPAA doesn’t apply to public health (more on this below).

The ADPPA focuses on consumer protection from third-party data handlers, like social media, cell phones, and more. But you might be surprised at the access federal agencies have to your health information and the major push to deeply expand this reach in the name of public health and the greater good. The information may or may not be anonymous or “de-identified.” Some wonder if any data can truly be de-identified considering the exploding artificial intelligence (AI) field.[viii]

Some ways federal agencies outside of HHS utilize health data:

  • The Census Bureau is a central hub for health data throughout government agencies. Americans have been filling out a census every 10 years since 1790, sometimes including economic and “social statistics,” or health information.[ix] The Census Bureau is busy every year though, conducting other voluntary surveys, including the National Health Interview Survey. “The main objective of the NHIS is to monitor the health of the U.S. population through the collection and analysis of data on a broad range of health topics such as medical conditions, health insurance, doctor’s office visits, physical activity, and other health behaviors.”[x] They also conducted Household Pulse Surveys to delve into the well-being of American households during the pandemic, which included questions on how stimulus checks were used.[xi]
  • The Federal Trade Commission has a project called “Mapping Broadband Health in America,” which overlays broadband coverage with health access, quality, and behavior, based on data obtained from the Census Bureau, CDC, Geolytics, and the Robert Wood Johnson Foundation.[xii]
  • The Department of Homeland Security (DHS) has a newly reorganized Office of Health Security,[xiii] as well as an Office of Biometric Identity Management (biometrics are considered PHI under HIPAA). The DHS also has a contract with Amazon to house biometric information on their servers.
  • The Environmental Protection Agency collects health information to conduct environmental assessments of residential properties.[xiv]
  • The National Archives contain numerous Systems of Records, one of which is a collection of requests for accommodations for religion or disability by their employees, recently revised to explicitly note religious exemption requests to COVID shot requirements.[xv] This is not the only federal agency that has updated or created a System of Records relating to COVID guidance or mandate compliance. Other agencies include the Department of the Interior,[xvi] the Selective Service System,[xvii] the United States Postal Service,[xviii] and the Securities and Exchange Commission,[xix] just to name a few. (If you’d like to see more, go to the federal register and search “SORN AND COVID.”)

The activities described above would be in the name of public health or national security, except the data the Census Bureau collects through voluntary participation in surveys. HIPAA doesn’t apply to these federal agencies; they would be governed by the Privacy Act of 1974, which does not require de-identification of data.

According to David Ferro of the National Archives, “The Privacy Act of 1974, as amended (5 U.S.C. 552a) (“Privacy Act”), provides certain safeguards for an individual against an invasion of personal privacy. It requires federal agencies that disseminate any record of personally identifiable information to do so in a manner that assures the action is for a necessary and lawful purpose, the information is current and accurate for its intended use, and the agency provides adequate safeguards to prevent misuse of such information. NARA intends to follow these principles when transferring information to another agency or individual as a “routine use,” including assuring that the information is relevant for the purposes for which it is transferred.”[xx]

Nothing to hide, nothing to fear?

Protecting the privacy of individuals protects society at large. When we mix fear of publicity with the idea that we can have privacy, we are making an assumption that the activity or information has some bad quality to it. But most things society values privacy for are not inherently bad. The health and medical decisions we make, the diagnoses, and the family history found in our DNA fall into this category.

If we allow our health data to be transferred, used, disclosed, or stored without our informed consent, we are opening the door for completely inappropriate or even dangerous actions to be taken against us. If we allow government and businesses to demand our COVID shot status, for example, we allow discrimination that destroys liberty.

“[T]he vast trove of information that is being accumulated about Americans is like a loaded weapon that can be trained on selected Americans at any time by officials hungry for power and control.”[xxi]

A person may think they have nothing to hide and thus are safe from being treated as a criminal or an outcast. What about when the rules change? What if the rules are enforced only against certain individuals? Who will be the suspect then?

References & Sources

[i] Carpenter V. United States, 585 US ___ (2018) at 5.

[ii] Carpenter V. United States, 585 US ___ (2018) at 4 (internal quotes omitted).

[iii] Carpenter V. United States, 585 US ___ (2018) at 4, citing US v. Di Re, 332 US 581, 595 (1948) (internal quotes omitted).