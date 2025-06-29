On June 28th, I posted a simple, factual reminder:

Within hours, I was inundated—Twitter replies, emails, phone calls, private messages, and commentary across platforms. A torrent, yes. But more than that: a moment of diagnostic clarity. Because that tweet—on its own—was not controversial. It was accurate, restrained, and apolitical. So what happened?

What happened was not about wearables.

It was about trust. Or, more precisely, its absence.

The Reality I Described

The tweet outlined a basic legal fact: medical data collected by wearable devices—when used for medical purposes—is protected under HIPAA. Patients (users) control access. That’s the law. If entities misuse the data, they are subject to civil and, in some cases, criminal penalties.

This is not a speculative opinion. It’s codified, enforced, and part of the operational reality of companies in the medical device space.

But none of that mattered.

The Emotional Landmine I Stepped On

In a post-COVID world, saying “HIPAA protects you” feels to many like saying “The levees will hold” in New Orleans, circa 2005.

To those who lived through:

Vaccine mandates that circumvented informed consent,

Schools and employers demanding vaccination proof,

Governments repurposing emergency powers to collect and analyze personal health data...

...HIPAA now feels like a suggestion, not a protection.

@AgeofAutism

“We want to support @SecKennedy of course. This is a non-starter and downright antagonizing. No. HIPAA means nothing. As we learned during COVID.”

But HIPAA for vaccines is not HIPAA for other medical devices.

Let me explain.

HIPAA for vaccines is not HIPAA for wearables .

It is true that medical data from wearables are covered under HIPAA and remains, by law, under patient control, that statement applies to general medical devices—not to the immunization ecosystem. The vaccine industry, in collusion with federal and state agencies, systematically dismantled HIPAA protections when it came to vaccination status. And they used your tax dollars to do it.

Immunization Information Systems (IIS), once justified as tools for pediatric coordination, have quietly metastasized into a de facto surveillance infrastructure—federally subsidized, state-run, and functionally unregulated.

These systems now:

Ingest vaccine data from pharmacies, EHRs, and mobile units without patient initiation.

Retain permanent vaccination dossiers—without notification or opt-out.

Share that data across state lines and with employers, schools, and agencies—without consent.

Operate in direct violation of HIPAA §164.502(b), which requires that only the minimum necessary information be disclosed.

Under the guise of public health, the CDC has poured more than $200 million annually into IIS interoperability projects—building batch import tools, onboarding commercial vendors, expanding dashboard surveillance, and knitting together real-time interfaces with health records and contractors.

We saw the consequences during COVID:

Employers demanded full CDC vaccine cards as a condition of employment, storing more PHI than necessary.

Students were forced to upload vaccine records just to attend class or live on campus.

State governments , like New York, used registry-linked surveillance to track and contact travelers, triggering quarantine orders based on health data—with no warrant or court oversight.

Federal regulators, through OSHA, attempted to impose a nationwide vaccine-or-test mandate covering over 84 million workers. Though struck down by the Supreme Court in NFIB v. OSHA (2022), the aggregation of employee health data was already well underway.

This wasn’t a breakdown. It was deliberate design.

IIS programs now violate:

HIPAA §164.502(b) – exceeding the “minimum necessary” data standard.

ADA (29 C.F.R. §1630.14) – mandating record confidentiality, especially in employment.

Title VII – mishandling of religious and medical exemptions.

The Fourth Amendment – using health data for surveillance without probable cause.

The Fourteenth Amendment – coercive disclosures without due process.

And yes, the lawsuits are catching up. In Bridges v. Houston Methodist (2021) and Domski v. Blue Cross (2024), plaintiffs challenged vaccine-related employment coercion and data misuse. The $13 million jury award in Domski underscores how serious these violations are when brought before a jury of peers.

So no—HIPAA for vaccines is not HIPAA for wearables.

HIPAA Penalties Are Devastating

My original tweet referred to the remaining zones of private health data—devices that are still, for now, under patient control. But vaccine data already escaped HIPAA’s orbit, smuggled through IIS infrastructure and shielded by bureaucratic opacity.

Clearly, we should not let the same happen with wearable devices.

It is precisely because of the vaccine data precedent that we must demand stronger boundaries, real informed consent, open-source transparency, and absolute control by the individual—not the state, not the employer, not the registry.

Anything less is just the next iteration of digital tyranny in medical drag.

I understand completely why the distrust is there.

Before we go further, understand that no where I have ever endorsed any wearable medical devises. I private emails, exploring potential uses, sure.

But my intent was to do what I’ve been doing for a long time: Interpreting current events using logic, reason, and science.

When I reminded people that wearable data is private by law, the message collided with a different lived truth: laws weren’t followed during COVID, and no one was held accountable.

Some reminded me that “Data from medical wearables are hackable!”.

But so are data from your electronic medical records.

That’s why we have HIPAA

The notion that HIPAA protections are toothless is not merely rhetorical. Across the last decade, breaches of Electronic Medical Records (EMRs) and Electronic Health Records (EHRs) have triggered some of the largest regulatory fines and corporate collapses in healthcare history—confirming that while enforcement may be inconsistent, when it comes, it can be catastrophic.

In 2015, Anthem, one of the largest health insurers in the United States, suffered a breach exposing the personal health information of nearly 80 million individuals. The data compromised included names, birthdates, Social Security numbers, addresses, and medical identification details. The company paid a record-setting $16 million to the U.S. Department of Health and Human Services Office for Civil Rights (OCR)—the largest HIPAA settlement ever levied at the time—and faced over $115 million in additional class-action litigation payouts. The Anthem breach was not just a PR crisis; it was a financial and regulatory reckoning.

The notion that HIPAA protections are toothless is not merely rhetorical. Across the last decade, breaches of Electronic Medical Records (EMRs) and Electronic Health Records (EHRs) have triggered some of the largest regulatory fines and class-action settlements in healthcare history—confirming that while enforcement may be inconsistent, when it arrives, it is often catastrophic.

In 2015, Anthem—one of the largest health insurers in the United States—suffered a breach exposing the personal health information of nearly 80 million individuals. The compromised data included names, birthdates, Social Security numbers, addresses, and medical identification details. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) levied a $16 million fine—the largest HIPAA settlement ever imposed at the time. Additionally, Anthem agreed to a $115 million class-action settlement, illustrating the massive civil liability risk that follows even a single failure in data security.

A year earlier, Community Health Systems faced a breach in which hackers accessed 4.5 million patient records. This event triggered a combined enforcement response: a $3.1 million HIPAA settlement, approximately $5 million in state-level penalties, and an additional $2.3 million in federal fines. Together, these penalties reflected not just a failure of perimeter security, but a lack of layered safeguards, incident response protocols, and vendor oversight.

The Reaction Breakdown Led to Hypervigilance

While some reports in the healthcare tech press speculate on more recent vendor breaches, including 2025 claims involving HealthEC, Arisa Health, and Episource, these have not yet been confirmed by OCR, the courts, or UK’s Information Commissioner’s Office in final adjudicated form. As such, they are excluded from definitive analysis until public enforcement records or case settlements become available.

What is clear from the verified cases is that HIPAA, when enforced, carries real teeth. Massive fines, multi-state actions, corrective orders, and class-action exposure all remain live threats for any entity that mishandles protected health information (PHI). And it is precisely this framework that distinguishes the current reality of wearable device data governance from the vaccine data exception—where systematic erosion of HIPAA principles has been normalized. In the realm of EMRs, the law still has bite. The real risk lies in failing to demand its application.

Disillusioned Advocates

People who’ve spent decades fighting for health freedom saw the tweet as sanctioning and sanitizing surveillance. They didn’t read it as reassurance—they read it as alignment with a system that lied to them, censored them, and punished dissent. I get it. I want people to know we have recourse.

Security Realists

A more technically grounded group raised legitimate concerns: What if the data gets hacked? What about backdoors?

@bobsnee

“Great in theory, but the government has been known to require IT people to create back doors, and swear them to secrecy, even from their employers.”

@MrsSmithSaysMrs

“My first thought—and that of many others, it appears—is that the medical info on a wearable can be hacked. What is the solution for this?”

These aren't hypothetical issues. They reflect real risks in device design and backend infrastructure. I acknowledged that in follow-ups—and I agree: protections only matter if they’re enforced, and if the architecture is auditable.

Electronic medical records are hackable, too.

Legal Nihilists

The third group didn’t dispute the law—they rejected its relevance. Their argument is: “They’ll break the law and drag it through the courts for a decade. And no one will stop them.” These are the voices of hard-earned cynicism.

@rfamariss4

“Bullshit. Like most things, they will break the law and then ride the ten years the courts take to — maybe — hold anyone accountable.”

To them, talking about compliance feels quaint—like quoting etiquette rules at a riot.

I refer them to the table of cases of prosecution of abuses

What This Was Actually About

This wasn’t about RFK Jr., HIPAA, or even wearables.

It was a test of loyalty.

For example:

@Movanhook

“James, you should know better! Good grief.”

I had made a public statement that acknowledged nuance in a space that many feel only permits binary framing: total rejection or total compliance. Anything in between is “selling out.”

But I’m not here to pass ideological purity tests. I’m here to make arguments that are technically accurate, ethically anchored, and tactically useful. And the truth is: we can’t navigate the future by flattening it. More importantly: We should know what tools we have in our armamentarium, and which tools we may have to defend from weakening and abuse.

Here’s What I Do Believe

The instinct to distrust post-COVID is valid.

People saw HIPAA gutted in spirit, if not on paper. Rebuilding that trust will require more than legal citations—it will require real-world accountability. Thus, the table above. The Kennedy Administration is right to address this now.

Establishing clear, enforceable limits before surveillance abuses occur is precisely what a precautionary public health ethic demands. I’m glad it’s Kennedy in office on this issue. Wearables are not inherently evil.

Used properly—with informed consent, open-source code, and no government backdoors—they can empower individuals, not enslave them. The EMF and other concerns are addressed here. We must demand transparency, not fear technology.

Push for independent audits. Push for zero-knowledge architectures. Push for prosecutions when violations come. Push for laws that stick.

What Comes Next

Guys, it’s me. Dr. Jack. I won’t ask you to trust me. But I think, if anything, this is an opportunity for me to clarify what I hope you all realize: My goals are to empower. People who may have to go into a fight should know how to use their weapons. Nihilism is fruitless. You can quote me on that, I think it will go down in history as one of the most obvious and unnecessary things I’ve ever written. And I hope so. Because that means in the future people will come to appreciate what we have won.

We did not just win freedom from COVID-19 mandates, or even “just” the HHS. We won a $1.7 TRILLION dollar warchest. Let that sink it.

If you were among those who recoiled at my tweet—good. That means you care. That means you remember. You should be vigilant. You should be skeptical. You should demand more.

But let’s be clear-eyed:

Screaming “NO” at all wearable tech will not build the world we want.

Pretending HIPAA doesn’t exist will not protect us from its misuse.

Demonizing those who acknowledge legal and technical nuance will not prevent backdoors—it will just fracture coalitions and prevent people from knowing the laws that exist that do protect them.

We need to hold multiple truths at once:

Wearables can be weaponized.

HIPAA is real, but vulnerable.

Enforcement mechanisms matter.

RFK Jr. is not pushing mandates.

We must remain the architects of the next stage of digital ethics.

So no—I’m not deleting the tweet. But I will expand on it.

I will keep clarifying the path forward, because clarity is power. And power, in the right hands, can coding means to prevents tyranny.

Let’s use it. If you’re for banning medical wearable devices, fight your fight. It’s a $37Bln market already. If you’re for tight regulations, go for it.

But then next time someone tries to tell you that you have power that you clearly do not realize you have, and you cannot recognize that message, go on reputation.

Leslie Manookian once attacked me for daring to defend exemptions from mandates as if I thereby supported mandates. I didn’t mind; it was clear to me what her logic errors were, so I responded. I do not hold animosity in reserve for Leslie.

I simply explained then, and I explained now that drawn conclusions are for those drawing them to sort out. Because the exemptions needed defending, and that was the topic and point of my visits to 17 states: To defend our rights to say no.

I respect and admire you all so much, I want you to know: I’m happy to continue analyzing and sharing what I know, what I learn, and admit when I make mistakes.

My tweet was too short. My tweet was provocative. And yes, it was intended to be. Now, we have the responses, and my reply. But it was anything but naïve.

Kennedy Will Never “Sell Out”

But this is not about me. Wearables will continue to be properly regulated or not.

But hear me on this: Kennedy has not sold out. Kennedy will never sell out.

Revile or reverse the man, but if you want to have the world you want, respect the office.

We can all voice our concerns and our solutions (the latter being as important as the first) by contacting HHS.

Constructive feedback and even foresight, I’m sure, will be appreciated. While we may not individually receive responses, the information provided, if helpful, will no doubt be acted upon in due course.

