QWE AI Academy Here’s a question nobody asked you when you checked into the hospital: “Is it okay if we send your medical notes to a military contractor’s AI system?”
NYC Health + Hospitals just stopped renewing its contract with Palantir – the company that built surveillance tools for ICE and the Pentagon – after activists exposed the nearly $4 million deal. Palantir’s software had been scanning patient health notes to optimize Medicaid billing since November 2023.
The kicker? Most patients had no idea.
Hospitals share patient data with third-party analytics vendors under the vague umbrella of “health care operations.” The privacy notice you signed on your first visit technically covers it. No one sends you an email. No dashboard shows who’s processing your records. You find out when someone leaks the contract.
What can you actually do? Here’s how to audit your hospital’s data-sharing setup and lock down what you can control.
What Actually Happened in NYC
NYC paid Palantir to improve billing efficiency. That included automated scanning of patient health notes. The contract language? Palantir could “de-identify” protected health information and use it for “purposes other than research” with the agency’s permission.
Activists pushed back. March 16, 2026: NYC Health + Hospitals CEO Mitchell Katz told the City Council the contract wouldn’t be renewed when it expires in October. The work will supposedly move in-house.
But here’s the part the news coverage missed: this contract structure is normal. HIPAA lets hospitals share your data with third parties for “treatment, payment, and health care operations” without asking you. Revenue cycle optimization – what Palantir was doing – falls under operations. Legal. Invisible to patients.
The NYC story only surfaced because activists filed records requests. How many similar contracts exist at your hospital?
Find Out What Your Hospital Actually Tells You
Start with the document you skimmed and signed on your first visit: the Notice of Privacy Practices.
Every HIPAA-covered provider must give you one. Explains how they can use and share your health information. Most are 4-8 pages of legal boilerplate. Buried inside? A section on disclosures to “business associates” – third parties that handle data on the hospital’s behalf.
How to get it:
Check your hospital’s website – search “[hospital name] privacy practices.” Ask at the front desk. If you use a patient portal (MyChart, Epic, Cerner), look under account settings or legal documents.
What to look for:
“Health care operations” – the catch-all covering analytics, billing optimization, quality improvement. “Business associates” – companies processing data for the hospital. “De-identified information” – data stripped of obvious identifiers but still potentially traceable. “Payment and reimbursement” – revenue cycle work, like what Palantir did.
Most notices say: “We may share your information with business associates who perform services on our behalf.” They won’t name the companies. That’s the gap.
Watch out: The privacy notice tells you what CAN happen, not what IS happening. To find out which companies actually have access, you need to go further.
Request an Accounting of Disclosures (and Understand Its Limits)
HIPAA gives you the right to an “accounting of disclosures” – a list of when your provider shared your health information outside the organization.
Huge exception: the accounting does NOT include disclosures for treatment, payment, or health care operations. If your hospital sent your records to Palantir (or any analytics vendor) under the “operations” justification? Won’t show up.
Still worth requesting. It shows disclosures for public health reporting, legal requests, research (if you didn’t consent), other non-routine sharing. Your data went somewhere unexpected – insurance fraud investigations, subpoenas, mandatory disease reporting – you’ll see it.
How to request:
Contact your hospital’s Health Information Management (HIM) department or privacy officer – listed on the privacy notice. Submit written request (email or form). They must respond within 60 days (extendable to 90 if they notify you).
Ask: “I’m requesting an accounting of disclosures of my protected health information for the past six years, as allowed under HIPAA. Also: can you provide a list of business associates or third-party vendors that have accessed my records for health care operations purposes during this period?”
The second part isn’t required by HIPAA. Some hospitals will answer. Others won’t. Worth asking.
Ask the Direct Question: Who Are Your Analytics Vendors?
Contact your hospital’s privacy officer or patient advocate office. Use this script:
“I recently learned that some hospitals use third-party data analytics companies to process patient information for billing and operations. Can you provide a list of business associates or vendors that have access to patient records at [Hospital Name], especially those involved in revenue cycle management, clinical analytics, or AI-based tools? I’d also like to know if any of these companies can use de-identified patient data for purposes beyond my direct care.”
You might get: a general answer (“We work with vendors but can’t disclose specifics”), a partial list (EHR vendors like Epic, billing companies, but not analytics firms), or a real answer (rare – happens at smaller or more transparent systems).
Document the response. If they refuse, note who you contacted and when. Creates a paper trail if you later file a complaint or records request.
Check If You Can Opt Out
HIPAA lets you request that a hospital restrict how it uses or shares your information. Hospitals don’t have to agree – except in one case: if you paid out-of-pocket in full and ask them not to share with your insurance, they must comply.
Everything else? Optional. Hospitals can say no.
Requesting a restriction sends a signal. Some hospitals track these requests and adjust policies if enough patients push back.
How to request a restriction:
Submit in writing to the hospital’s privacy officer. Be specific: “I request that my health information not be shared with third-party analytics vendors for revenue cycle optimization or other health care operations purposes unrelated to my direct treatment.” If they deny it, ask them to document your request in your file. Becomes part of your patient record.
In the UK, over 50,000 NHS patients filed complaints about Palantir’s £330 million data platform as of February 2026. Mass opt-outs and complaints do influence policy – NYC’s contract cancellation proves it. Individual use? Limited. Collective pressure works.
What About ‘De-Identified’ Data?
De-identification isn’t as anonymous as it sounds. The NYC contract let Palantir “de-identify” patient data and use it for non-research purposes. De-identification means stripping obvious identifiers – name, social security number, specific dates.
Research shows this isn’t bulletproof. Cross-referencing de-identified data with other datasets – zip codes, demographics, prescription patterns – can re-identify individuals, especially with AI tools designed to find patterns.
Privacy advocates argue “de-identified” is a legal fiction protecting companies more than patients. You can’t opt out of de-identification under HIPAA – it’s considered non-PHI once the identifiers are removed.
What you can do: Ask your hospital if they allow vendors to de-identify and reuse your data. If they say yes, document it. Enough patients raise the issue? Hospitals may add stricter contract terms.
Advanced Move: File a Public Records Request
The NYC Palantir contract only became public because activists filed a Freedom of Information Act (FOIA) request. If your hospital is government-owned or receives public funding, you can do the same.
Request: “Copies of all contracts, agreements, or business associate agreements between [Hospital Name] and third-party data analytics, artificial intelligence, or revenue cycle management vendors executed between [date range].”
Public hospitals must respond (timelines vary by state – usually 10-30 days). Private hospitals don’t have to comply with FOIA. Some respond to public pressure.
This is how you find the contracts nobody wanted you to see.
Why This Matters Beyond Palantir
Think about the infrastructure here. Health Catalyst, Optum, IBM Watson Health, Arcadia – dozens of companies provide analytics to hospitals. Most of this work is legitimate: improving care coordination, catching billing errors, managing population health.
But the data flows are identical whether the vendor is optimizing discharge times or building surveillance tools. Once your records are in a third-party system, safeguards depend entirely on contract terms you’ll never see and oversight mechanisms that barely exist.
The question isn’t “Is Palantir uniquely bad?” It’s “Should patients know when their medical notes leave the hospital’s direct control?”
Right now? No. HIPAA doesn’t require it. Hospitals don’t volunteer it. The system assumes you trust everyone with a business associate agreement.
That assumption is breaking.
What Happens Next in Your Hospital
NYC says it’s bringing Palantir’s work in-house. New questions: Will they hire Palantir staff as consultants? Use the same methods? Build the same tools internally?
“In-house” sounds safer. It’s not automatically more transparent. What matters is governance: who accesses the data, for what purpose, with what oversight, and – here’s the real test – do patients know about it?
Hospitals that want to rebuild trust could proactively disclose major analytics vendors on their privacy pages. Explain in plain language what “health care operations” actually means. Offer meaningful opt-outs for non-essential data sharing. Let patients review business associate agreements on request.
None of this is required. All of it should be.
Your Next Step: Start With One Email
Email your hospital’s privacy officer. Ask: “Does [Hospital Name] currently use third-party analytics companies to process patient data for billing, operations, or quality improvement? If so, which companies, and can patients request restrictions on this sharing?”
Most will give you a non-answer. Some will ignore you. A few will surprise you with actual transparency.
Every question creates a data point. Every request signals that patients are paying attention. That’s what changed NYC. It can change your hospital too.
Frequently Asked Questions
Can my hospital legally share my data with AI companies without telling me?
Yes. HIPAA lets hospitals share your protected health information with third-party “business associates” for treatment, payment, and health care operations without your explicit consent. Includes AI and analytics companies working on billing optimization, quality improvement, clinical decision support. The hospital must provide a Notice of Privacy Practices explaining this can happen. They don’t have to tell you which specific companies access your records or notify you when it occurs.
What’s the difference between ‘de-identified’ data and truly anonymous data?
De-identified data has obvious identifiers removed – name, SSN, exact dates – but retains detailed clinical information, demographics, patterns. Not truly anonymous. Cross-referencing de-identified records with other datasets (zip codes, prescription histories, rare diagnoses) can re-identify individuals, especially using AI. The NYC contract allowed Palantir to de-identify patient data and use it for “purposes other than research.” Vague clause. Once data is de-identified under HIPAA? No longer considered protected health information. You can’t opt out. The “de-identified” label protects the company legally but may not protect your privacy practically.
If I file a complaint about my hospital’s data sharing, will it affect my care?
Legally? No. Retaliating against patients for exercising privacy rights violates HIPAA – triggers federal penalties. Most hospitals treat privacy requests as administrative matters handled by compliance staff, not your care team. Doctors and nurses typically never see these requests. Filing complaints creates a record: if you later escalate to the HHS Office for Civil Rights or pursue legal action, documented requests strengthen your case. Frame requests matter-of-factly: “I’m reviewing my privacy options under HIPAA” rather than “I don’t trust you.” Hospitals aren’t required to honor restriction requests (except the insurance disclosure rule). Your complaint may not change their data-sharing practices. But it signals patient awareness. Matters when enough people push back.