Citizens’ Council for Health Freedom to HHS Office for Civil Rights: Restore Pre-HIPAA Patient Privacy and Consent Rights

***News Release***


Citizens’ Council for Health Freedom to HHS Office for Civil Rights: Restore Pre-HIPAA Patient Privacy and Consent Rights

CCHF Gives HHS Six Action Steps to Return Patients’ Rights; Says Public Deceived—HIPAA Doesn’t Protect Privacy at All

PAUL, Minn.—The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a Request for Information (RFI) on “Modifying HIPAA Rules To Improve Coordinated Care,” and Citizens’ Council for Health Freedom (CCHF) took the opportunity to share its concerns and ideas before the OCR issues a proposed rule to change the HIPAA rule.

Namely, CCHF’s main assertation in its 14-page response to the RFI is that the 1996 Health Insurance Portability and Accountability Act (HIPAA) “Privacy Rule” isn’t about privacy at all.

“We support the right of patients to keep their private medical information confidential, thus we have long opposed HIPAA due to its intrusion on the patient-doctor relationship and its infringement of privacy rights,” wrote CCHF president and co-founder Twila Brase in her letter to HHS Secretary Alex Azar. “Our opposition continues today and has only grown with the EHR mandate, MIPS/APMs, HIEs, eHealth Exchange and interoperability mandates.”

Brase added that Citizens’ Council for Health Freedom has been engaged in a two-decade campaign to inform Americans that despite what they’ve long been told by the news media, government agencies, health plans, legislators, Congress, hospitals, and doctor’s offices:

  • HIPAA is not a privacy rule.
  • HIPAA gives outsiders legal license to share, use, analyze, link and sell patient data.
  • HIPAA empowers corporations, government, health plans and others to profit from access to and use of confidential patient information without the patient’s consent.

In its response to the RFI, CCHF reminded Secretary Azar that HIPAA is a broadly permissive data-sharing rule for use of data (internal sharing) and for disclosure of data (external sharing). Consequently, Brase added, the health freedom organization is concerned about certain phrasing in the RFI: “The Privacy and Security Rules limit the circumstances under which covered entities may use and disclose PHI [protected health information] and require covered entities to implement safeguards to protect the privacy and security of PHI.”

“Many Americans will read ‘limit the circumstances’ and think this means limited circumstances,” Brase said. “However, there are relatively few circumstances in which patient data cannot be shared, used, disclosed, compiled, analyzed, dissected, and if stripped of 18 identifiers, sold or given away. These uses and disclosures are permitted without patient consent under the broad definitions of payment, treatment and ‘health care operations’ as well as the deidentification standard, the 12 national priority purposes, the treatment exemption to the ‘minimum necessary’ requirement, and more.”

That HIPAA leaves patients powerless over the disclosure and use of their data was underscored by David Brailer, the first National Coordinator of Health IT, who said in Healthcare IT News in 2015: “You can’t force a covered entity to give your data to someone you choose, and you can’t stop them from giving it to someone they choose.”

“HIPAA’s primary focus is not privacy; it is security of the data before, after and while patient’s privacy is being violated, which is what happens when the patient’s data is disclosed and used without the patient’s consent,” Brase said. “If privacy were the focus, the HHS ‘Wall of Shame’ would be littered with documentation of all the times patient privacy is violated every day. HIPAA does not protect the patient data the way patients think it does or in the way patients define and interpret the word ‘privacy.’ Instead of requiring patients to sign a statement that wrongly convinces them that their data is held in confidence, OCR should have practitioners and institutions make a good faith effort to have patients sign a form/statement that faithfully and ethically shares the truth about HIPAA.”

Thus, CCHF suggested OCR make the following modifications:

  • Rename the PRIVACY RULE. Instead of “Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”),” as noted on the HHS HIPAA website, change the name to “Standards for Disclosing and Using Patient Data Without Patient Consent.”
  • Rename the NOTICE. Change “Notice of Privacy Practices” (NPP) to “Notice of Permitted Data Disclosures Without Patient Consent” and require actual definitions (full text) of “treatment” “payment,” “health care operations” and a list of the 12 national priority purposes to be included within the notice.
  • Change the text of the ACKNOWLEDGEMENT STATEMENT. Edit to say: “I understand that the federal HIPAA regulation permits sharing and use of my personally-identifiable health information without my consent, including to the government and various corporations for non-clinical and other purposes. I further acknowledge that I have received a copy of the Notice of Permitted Data Disclosures Without Patient Consent and I have reviewed the federal purposes and definitions that permit data sharing without my consent—unless a stronger state medical privacy law exists to prevent such uses and disclosures. Finally, I acknowledge that I have reviewed my right to request restrictions on data sharing and that my provider must provide me with a form to do so at my request, but that my provider is allowed to agree or refuse to agree to my request for restricted sharing of my information and must inform me of such agreement or refusal, or future changes in such an agreement.”
  • Modify the process for REQUESTING RESTRICTIONS on data sharing. OCR should produce a standardized form that every practitioner and institution must make available upon request.

At the very least, according to CCHF, OCR should:

  • Prohibit doctors and hospitals from telling patients that HIPAA is a privacy rule or that it protects their privacy.
  • Require doctors and hospitals to tell patients that HIPAA is a data-disclosure rule permitting disclosures of personally-identifiable patient information without patient consent,
  • Prohibit practitioners and institutions from refusing to treat patients if patients refuse to sign the acknowledgement—if OCR continues to require make a good faith effort to get a signature acknowledging receipt/understanding/reading of the NPP.
  • Require notification of patients on how the patient can easily access a full accounting of all disclosures and uses of their private medical data.

However, all these suggestions and modifications would be unnecessary if OCR would restore patients’ pre-HIPAA privacy and consent rights, Brase says. Therefore, in its RFI response, CCHF made six requests in advance of any future Notice of Proposed Rulemaking (NPRM) to modify HIPAA:

  1. Restore the patient privacy and consent rights that were in place pre-HIPAA.
  2. Initiate and enforce a “Truth about HIPAA” campaign for the American people, including their state legislators and members of Congress.
  3. Acknowledge and support that patients have a right to keep their confidential information truly confidential. It’s up to patients to decide whether to agree to share their confidential data in particular if the benefits, including third-party payment for care, give them sufficient reason to share the data for that purpose, but perhaps only for that purpose, and limited to the data necessary for that purpose alone.
  4. Write the NPRM from the understanding that interoperability is not and should not be the end goal; the goal should be the protection of the patient’s rights, privacy, confidence, security, safety, access to care, and trust. After all, the point of the entire health care system is the patient and the integrity of the system rests on how the patient is treated and cared for.
  5. Write the NPRM from the understanding that the lack of full, unmitigated, 24/7 interoperability today is the only thing that protects patients from HIPAA and its permissive use and sharing of their confidential data without their express consent (unless a stronger, more protective state law exists).
  6. Write the NPRM from the understanding that patient consent requirements do not inhibit interoperability. They just limit disclosures and uses to those that the subject of the data (the patient) permits – as it should be.

“As CCHF often says, ‘He who holds the data makes the rules,’” Brase remarked. “Thus, protecting patient privacy protects not only the confidentiality of private information, but the individual freedom and choices of citizens.”

Read CCHF’s entire response to the ““Request for Information on Modifying HIPAA Rules to Improve Coordinated Care” here. CCHF also has a web page to report harms experienced by patients due to HIPAA:

In a new book, Brase writes extensively about the privacy-stealing HIPAA rule (Section IV), as well as socialized medicine, patient privacy, electronic health records, health freedom and how the Affordable Care Act has harmed patients and doctors since 2010. Find “Big Brother in the Exam Room: The Dangerous Truth About Electronic Health Records” online wherever books are sold or at

Learn more about CCHF at, its Facebook page or its Twitter feed @CCHFreedom. Also view the media page for CCHF here. For more about CCHF’s initiative The Wedge of Health Freedom, visit, The Wedge Facebook page or follow The Wedge on Twitter @wedgeoffreedom.