It's mind boggling because I highly doubt it's actually true. I'm not sure where the OP is getting that info. Patients can't waive away HIPAA privacy/security rights.
I think the OP is assuming that when healthcare institutions partner with third parties, those third parties are not required to uphold HIPAA. If that's his/her belief, it's 100% false. Third parties associating with healthcare institutions have to sign business associate agreements (BAAs) that require them to uphold the same standard of privacy/security regarding patient data as the first party healthcare institution. There are severe financial penalties for violating HIPAA, and every healthcare institution I've been a part of takes this extremely seriously.
Before I start, I'm not singling you out- I am happy that you're participating in this discussion and sharing your first hand knowledge.
The thing for me is that if HIPAA truly does provide me privacy of my personal information and health care information, why are all of these privacy and consent forms required?
Whenever I am handed a form that says "privacy policy" my sense is immediately raised - what is it that they're trying to hide from me through mountains of legalese? When I don't receive one (as was the case in my doctors visit) then I am REALLY on edge.
For example, with my health care visit, this thread prompted me to call the listed numbers on the website for the health care provider to discuss their privacy policy. The provider's number dumps you into an IVR that has zero way to reach a human - you must dial an extension, and there is no option for an operator. I ended up calling their headquarters to get a callback from a human.
If there are standard mechanisms and policies in place, then we should be able to understand the rules once and never have to sign another form again, because the rules would be clear, unambiguous, and applicable to every health care interaction. If the rules are clear about not waiving HIPAA privacy/security rights, then why have a privacy policy that's three pages of inscrutable legalese that gives a bunch of weasel room for them to "share" information?
No problem—glad to participate! There's a lot of cynicism that leads to misinformation about how healthcare works, so I'd like to clean that up. Let's attack and fix the broken parts of the system, but we should praise the working parts. I think patient privacy/security is one of the few things the US gets mostly right about healthcare.
Regarding the privacy policies: these are created by the legal department and physicians in the department are told to distribute them and get signatures when necessary in order to do things by the book. However, your rights are inalienable and protected regardless of whether you actually receive the policy and sign the appropriate box. If you don't receive the policy, the healthcare institution is on the hook and could face a fine if reported to the DHHS. Things could absolutely be done more efficiently and clearer for patients, but there's a fear in changing things ("if it ain't (horribly) broke, don't fix it"). Trying to improve how privacy policies are disseminated and patients informed could result in an inadvertent violation of HIPAA that results in large fines. So healthcare institutions are disincentivized from trying to improve things here.
I reviewed the patient privacy policy for a few large institutions in the US, and it all seems to support what I'm saying. For example, here's NYU's policy on business associates: https://nyulangone.org/files/business-associates.pdf
The only ways in which patient data can be shared with others are if (1) they're involved in your treatment (e.g., your doctor at another hospital), (2) payment purposes (e.g., insurance), (3) health care operations (e.g., third party vendor software like EMRs, PACS, etc.) All are required to be HIPAA compliant if they're covered entities (i.e., healthcare institutions) or sign a BAA with a covered entity that essentially puts the same HIPAA requirements on them. A violation again results in massive fines, C-suite level firings, and expensive legal fallout.
I spoke with the compliance manager at the urgent care this afternoon and had a pleasant conversation. I shared my concerns that I was never provided a copy of the paperwork I was expected to sign - and they took that feedback to hopefully improve in the future.
I had one question in case you’re still monitoring this thread. The compliance manager mentioned a “health information exchange” which I opted out of (since it was something I can control). Do you have experience with these? It seems benign from the searches I’ve done since the conversation but I would be curious if you had any insight as a medical professional
I think the OP is assuming that when healthcare institutions partner with third parties, those third parties are not required to uphold HIPAA. If that's his/her belief, it's 100% false. Third parties associating with healthcare institutions have to sign business associate agreements (BAAs) that require them to uphold the same standard of privacy/security regarding patient data as the first party healthcare institution. There are severe financial penalties for violating HIPAA, and every healthcare institution I've been a part of takes this extremely seriously.