Privacy is essential for informed consent.
Imagine this: Someone posts a sonogram on Facebook to announce their family is expecting a baby. Texts and emails and posts appear throughout the pregnancy and another announcement is made when the little one is born. Wanting to share their joy, moments and milestones are marked on social media and posts share the ups and downs of parenthood. After texts and calls and video chats with family through the years, the kiddo wants their own cell phone. Soon they’re on TikTok and Facebook and Signal. Mix in lockdowns, virtual schooling, and security cameras in public and private spaces, and we have quite the recipe for a digital footprint that’s been growing from the moment of conception.
Health data gets thrown into the mix, too. Have you ever texted someone while waiting at a doctor’s office? Do you use your cell phone or a smart watch to record any health data? (This includes pictures of a rash to ask for advice from trusted confidants or social media “friends” as well as a photo of your child snuggling up with warm soup and their favorite stuffed animal while sick.) Does your doctor use an Electronic Health Record? Have you used an app to track fitness, blood sugar, or menstrual cycles? Do you have a FitBit, an Oura Ring, or a heart rate strap that connects to an app like Garmin, Strava, or Peloton? What about your child or grandchild? Do they have any of these things?
These are just some of the ways personal health information becomes data. This digital collection of vital statistics, hobbies and habits, location, diagnosis – even your emotional reactions – make up a data version of you. Some of us were lucky enough to experience childhood without security cameras and cell phones and social media. But American children are now growing up with technology as an integral part of life — so much so, that our U.S. Supreme Court has observed, “a cell phone [is] almost a feature of human anatomy.”
What can be done with that health data? Cell phone apps already tie health decisions and conditions to access to buildings. The SHIELD T3 program (which stands for Target, Test, Tell) implemented at the University of Illinois and reported on by Stand for Health Freedom in our post titled “This is your warning” uses contact tracing and rapid COVID test results combined with QR codes to grant access to campus buildings. Cities around the globe have tied COVID shot and test result status to digital wallets and identification cards, such as New York’s Excelsior Pass.
Although the health pass and digital vaccine credentials have faced global pushback from citizens rejecting this global surveillance, these passport systems were only a dress rehearsal. The digitization of health information has been a globalist goal for decades, the first notable attempt being the Health Security Act proposed by former president Bill Clinton, which would have included a national patient ID. Recently, the call for a federal health patient identifier has been revived. This time, however, the dominant story is fear for patient safety, rather than the razzle dazzle of technological promise that dominated the early 90s.[ii]
We tend to think our personal health information (PHI) is private. HIPAA is probably the most-cited federal law after the 5th Amendment right to remain silent, revealing how deeply privacy is etched into the soul of America.
But this fundamental American right to privacy is under attack. Our children are living in a world that disregards privacy as a constitutionally guaranteed human right. The right to make medical and health decisions with informed consent, and not under coercion, demands that Americans make privacy a foundation of their advocacy, just as it is a foundation of our U.S. Constitution.
HIPAA is not a privacy statute
Let’s set the record straight on HIPAA. HIPAA does not protect your privacy. The Health Insurance Portability and Accountability Act (HIPAA) is a permissive collection of statutes and regulations that eliminates barriers to the flow of your PHI, rather than strengthening them. People use the term “HIPAA” interchangeably with “confidential” or “private,” but it is neither, and it applies in fewer circumstances than it is used.[iii] For example, it doesn’t apply to schools or to someone asking your COVID shot status.
A birds-eye view of HIPAA is that it applies to health information that can be linked to an individual, from point-of-care to payment, governing what can happen to that information outside of that container. HIPAA applies to health plans, health providers, and “clearinghouses” (the entities that handle health information between providers and insurance).
What can happen to your health data outside of the transaction of getting care and paying for it? The possibilities are truly endless – and many have nothing to do with your care. Health data is used for marketing, law enforcement, public health surveillance and compliance measures, and more.
One section of HIPAA regulations (45 CFR 164.512) is solely dedicated to ways that protected, identifiable health information can be used without your consent. It is called: “[U]ses and disclosures for which an authorization or opportunity to agree or object is not required.”[iv] This section includes sweeping access to identifiable health information for use in public health or law enforcement, government or court-ordered investigations and hearings, solicitation of organ donation, research purposes, national security, and some employment circumstances. It does not stop there, however, because other permissible disclosures and uses are listed in other sections of the law.
No one can explain the dangers of HIPAA to informed consent better than privacy expert and nurse Twila Brase, R.N., who truly wrote the book on health privacy titled “Big Brother in the Exam Room.” She revealed the twisted truth about HIPAA in an interview with SHF Director and Co-Founder Leah Wilson. Her printable resource “25 Ways HIPAA Harms” lists ways your data can be used without your consent, how HIPAA gets in the way of getting an accurate second opinion, and how it stops individuals from restricting the use of their health data even from companies like Google.
It’s powerful intel to understand that HIPAA used as a point of reference in a privacy law is a huge red flag. You know right away the law is not about privacy, it’s about data flow. Any legislator citing HIPAA as a standard for privacy is either misinformed or showing their stripes. In either situation, there’s an opportunity to educate both legislators and voters about the true nature of the hand of the federal government in health privacy.
States are the solution to health privacy concerns
What is the solution to stopping the snowball of HIPAA data disclosures from becoming an avalanche that buries privacy? The answer is state law. Protecting privacy has traditionally been an area of state, not federal, law. The federal government had no reason to enact privacy standards until they started obtaining personal information on citizens.
States enact confidentiality laws that protect your health data. Some states have been able, with the help of health advocates, to protect citizens from HIPAA by enacting stronger state law. This is why it is extremely important to prevent federal law from overriding state law (a process known as preemption).
Unlike the federal government, states are not pressured to please companies and organizations from across the globe. States can tailor their laws to the needs of their citizens and negotiate with those doing business within their boundaries without having to dilute protections to please every party. Corporations may complain that a patchwork of state law drives up the cost of doing business out of complexity, but that argument is akin to putting lipstick on a pig. It’s a distracting and disingenuous argument to say global companies cannot accommodate state laws. States will not try to drive companies out of business when they weigh individual fundamental rights against the benefits of having a strong business community in their state. Nothing stops a business from adopting the highest standards of privacy protection to minimize adaptations of doing business in different states. The United States Constitution was written to protect the fundamental rights of individuals against tyrants holding the purse strings.
Taking away the right of the states to legislate privacy protections would force citizens to fight violations with one hand tied behind their backs. The varying approaches of the states will inevitably lead to the best outcome to balance the most interests: It’s a check on the power of Big Data and Big Tech. But if the federal government has a monopoly on privacy law, the richest companies in the world have one-stop shopping for their legislative agendas.
It’s no surprise, then, that Big Data and Big Tech (and any congressperson aligned with them) do not support federal data privacy protection law unless it overrules state law.
Despite massive government overreach into our private health data, it’s not too late to stand up for privacy. The government would not be trying to pass laws to modernize public health data if they had access to all they need. Immunization records, for example, stand in state silos of information. It’s up to us to encourage strong state laws and to stop the federal government from overriding them.
This article is Part 1 of a 2-part series
References & Sources
[i] Carpenter V. United States, 585 US ___ (2018) at 13, citing Riley v. CA, 573 US 373. (internal quotes omitted).