Privacy & Data Rights

Hospital Shares Records Without Consent

Q: You signed our Notice of Privacy Practices when you registered — that authorized us to share for payment and operations.

Subscribe to The Advocate to see the full rebuttal, legal basis, and practise this response out loud.

Q: HIPAA only allows patients to complain to HHS — there's no private lawsuit you can bring.

Subscribe to The Advocate to see the full rebuttal, legal basis, and practise this response out loud.

Your medical records cannot be disclosed without your authorization except in defined circumstances

Premium foundational 7 minutes

The Situation

What They Said

“We shared your records with our billing partner. It's standard practice.”

Medical records are among the most sensitive personal information that exists. They contain details about diagnoses, medications, mental health history, substance use treatment, reproductive health, genetic information, and financial circumstances — information that, in the wrong hands, can affect employment, insurance, relationships, and personal safety. When patients share this information with a healthcare provider, they do so in a relationship of profound trust, with an expectation that it will be used for their care and nothing else without their knowledge and consent. The proliferation of healthcare billing partners, data analytics companies, marketing vendors, and other third parties has made unauthorized sharing of medical records more common and more consequential. Healthcare providers and their business associates sometimes treat data sharing as an ordinary business function — 'standard practice' — without fully considering whether their sharing falls within HIPAA's permitted uses or requires patient authorization. Patients rarely know when their records have been shared or for what purpose. HIPAA's Privacy Rule draws clear lines: protected health information may be used for treatment, payment, and healthcare operations without specific patient authorization — but sharing records with a billing partner for purposes beyond payment processing, with marketing companies, with employers, or with other entities outside the defined categories requires written patient authorization. 'Standard practice' is not a HIPAA exception. Note: State law may provide additional protections beyond the federal baseline described here — many states have enacted stronger medical privacy laws, particularly for mental health, substance abuse treatment, HIV status, and genetic information.

The Fallacy

Appeal to Industry Custom ('Standard Practice' as Legal Justification)

The healthcare provider is invoking an Appeal to Industry Custom — the claim that because something is 'standard practice' in the industry, it is therefore lawful. This is a logical fallacy because industry customs do not determine what the law permits. If anything, widespread illegal practices in an industry are evidence of systemic non-compliance, not of legal permissibility. HIPAA's entire regulatory framework was enacted because the healthcare industry's 'standard practices' around data sharing were deemed inadequate. Congress and HHS established specific rules about what uses and disclosures are permitted without authorization — and those rules are not satisfied by pointing to what other providers do. A provider's assertion that sharing is 'standard' neither creates a HIPAA exception nor shifts any obligation away from the entity that made the impermissible disclosure. Moreover, 'billing partner' is a category that requires scrutiny. HIPAA permits disclosures to 'business associates' — entities that perform functions on behalf of the covered entity — but only under a Business Associate Agreement (BAA) that limits the associate's use of the information to defined purposes. Sharing records with a billing company that then uses them for data analytics, marketing, or other non-payment purposes is not covered by the billing exception, even if the initial sharing was for payment processing.

What the Law Says

Your Legal Foundation

HIPAA Privacy Rule, 45 C.F.R. § 164.502

§ 164.502(a) — Uses and Disclosures of Protected Health Information — General Rules

“A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 164 of this subchapter. A covered entity may not use or disclose protected health information, except: (i) To the individual; (ii) For treatment, payment, or health care operations as permitted by and in compliance with § 164.506; (iii) Incident to a use or disclosure otherwise permitted or required as provided by this subpart... or (v) Pursuant to and in compliance with a valid authorization under § 164.508.”

This provision establishes the general prohibition: protected health information may not be disclosed unless it falls within a specific permitted category. Sharing records with a billing partner is only permitted for actual payment processing purposes — not for data analytics, marketing, or other secondary uses. Any disclosure outside the enumerated permitted uses requires a written patient authorization under § 164.508. 'Standard practice' is not listed among the exceptions.

HIPAA Privacy Rule, 45 C.F.R. § 164.524

§ 164.524(a)(1) — Access of Individuals to Protected Health Information

“Except as otherwise provided herein, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.”

Every patient has the right to access their own medical records and to know what information is being maintained. This right enables patients to verify what information was shared, identify inaccuracies, and understand who has received their information. A provider must respond to a patient's access request within 30 days. This right is foundational to patient autonomy over their own health information.

What Scripture Says

God's Word on This

Proverbs 25:9 (NIV)

“If you take your neighbor to court, do not betray another's confidence.”

Even in an adversarial legal context, Scripture prohibits betraying confidences entrusted to you. A patient who shares their medical history with a doctor does so in a relationship of trust that is explicitly protected by law. When a healthcare provider shares that information with third parties without authorization, they betray the confidence of the most intimate trust relationship in human experience — the relationship between a person and their healer.

Matthew 7:12 (NIV)

“So in everything, do to others what you would have them do to you, for this sums up the Law and the Prophets.”

The Golden Rule applied to medical data: would a hospital administrator or billing company want their most intimate health records shared with partners they have never heard of, without their knowledge or consent? The answer is obvious — and the law requires what the Golden Rule demands. Patient authorization before sharing is not a bureaucratic burden; it is the application of basic human reciprocity to sensitive personal information.

🔒

You Know the Law — But Do You Know What to Say?

Reading your rights is one thing. Using them under pressure — calmly, correctly, in the right words — is what actually protects you. Members get the scripted rebuttal for this exact situation: what to say first, what to say if they push back, the tone to use, and the constitutional provision to cite. Practise out loud with audio until it's automatic.

Unlock This Scenario — R89/month

Identity & Dignity and Gender & Equality are free · All 17 domains from R89/month · Cancel anytime

Not ready to subscribe? Get the free checklist first.

10 South African rights scenarios — what to say, what to cite, what to refuse. Free, no card needed.

What They'll Say Next

Common Counter-Arguments

After you respond, they may push back with these arguments. Members get the full rebuttal for each.

They might say: “You signed our Notice of Privacy Practices when you registered — that authorized us to share for payment and operations.”

🔒 Subscribe to see the full rebuttal and legal counter-argument.

They might say: “HIPAA only allows patients to complain to HHS — there's no private lawsuit you can bring.”

🔒 Subscribe to see the full rebuttal and legal counter-argument.

Know Your Rights. Know Your Word.

149 South African rights scenarios — exact rebuttals, constitutional law, and Scripture. Practise out loud with audio. Free to start with 2 full domains.

Try Free — Identity & Dignity

No credit card · Upgrade anytime for all 17 domains