Source: MART PRODUCTION / Pexels
The Health Insurance Portability and Accountability Act (HIPAA) has never been the most glamorous law; however, it has undoubtedly enjoyed more of a spotlight in recent years with the COVID-19 pandemic and the resulting measures associated with responses to public health risk. With public figures referencing HIPAA (including NFL quarterback Dak Prescott and Georgia Representative Marjorie Taylor Greene), HIPAA has become almost fashionable to invoke whenever medical questions are raised.
However, HIPAA is not only one of the most commonly misspelled laws (it is “HIPAA” —one P, two As) but also one of the most misunderstood. Rather than providing freewheeling protection of all vaguely medically-related information, the Health Information Privacy and Accountability Act (HIPAA) was created to place a number of requirements on very specific entities (more on those below) to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged and to whom. Below are seven surprising facts about HIPAA that you may consider before invoking it yourself.
PHI is defined very broadly.
As mentioned above, HIPAA protects Protected Health Information, which may include health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI if it includes individual identifiers. Surprisingly, demographic information may also be considered PHI, and also non-health common identifiers such as patient names, Social Security numbers, and birth dates if they are linked with health information in some way. Notably, PHI is only protected by HIPAA if it is tracked by specific entities (see below). So, for example, your heart rate tracked by your Apple Watch is not PHI covered by HIPAA, because Apple is not your health care provider!
HIPAA applies only to “covered entities,” which include medical providers and health care plans.
The HIPAA Rules specify “covered entities” that are covered by HIPAA. Covered entities include not only doctors, but also clinics, dentists, chiropractors, nursing homes, pharmacies, health insurance companies, company health plans, HMOs, and government programs that pay for health care, such as Medicare and Medicaid. HIPAA also covers “business associates” of any of these entities — in other words, another entity that helps one of these covered entities carry out its health care activities or functions. Notably, a clarification of HIPAA in 2000 made clear that it also applies to therapists and counselors.
HIPAA only applies to the extent that the covered entity is carrying out health care functions. For example, if your employer is the plan sponsor of an employer health care plan, then your employer — for PHI collected for that purpose — is covered by HIPAA. However, if your employer becomes aware of health-related information in other ways — for example, because you discussed your condition with a colleague, or because you applied for leave under the Family Medical Leave Act (FMLA) —that information would not be governed by HIPAA. However, it might be governed by other medical privacy laws. For example, the FMLA has its own privacy provisions.
HIPAA does not prevent third parties from asking about your vaccination status (or other PHI).
While vaccination status does constitute PHI, HIPAA only applies to certain organizations and businesses (health care providers, health plans, etc.) It is not a HIPAA violation for a restaurant or gym to ask for proof of vaccination. However, it would be a HIPAA violation for a doctor to disclose that information to the restaurant or gym without the patient’s consent.
HIPAA does not apply to “incidental uses and disclosures.”
One common misconception about HIPAA is that it is violated anytime PHI is compromised — for example, if a patient enters an examination room, and the physician inadvertently clicks on the wrong patient’s profile in her computer, or if a patient accidentally overhears a conversation about another patient.
The HIPAA Rules permit certain incidental uses and disclosures of PHI to occur as long as the covered entity (in this case, the physician) has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy. The regulations acknowledge that many customary health care communications and practices play an important and essential role in ensuring that individuals receive prompt and effective health care and that due to the nature of these communications — and the various environments in which individuals receive health care — the potential exists for health information to be disclosed incidentally. So, for example, if a physician has a conversation with a nurse about a patient and another patient overhears, it is not necessarily a HIPAA violation unless the incident is more systemic (caused by a lack of effective policies and procedures) rather than a one -time inadvertent error.
HIPAA only goes one way.
HIPAA protects your PHI from being shared by your health care provider, health care plan, and their business associates. However, you can always share your own health care information with whomever you choose. It also does not prevent a third party from asking you for PHI, although it does prohibit covered entities from sharing your PHI (for the most part) with third parties without your consent.
There are exceptions to HIPAA.
Under HIPAA, PHI can still be shared without patient authorization in certain circumstances, including:
- To prevent a serious and imminent threat
- As necessary to treat the patient (for example, coordinating between providers, in consultation or referrals)
- Ensuring public health and safety
Furthermore, HIPAA does not technically prevent health care providers from sharing information about a patient with members of the patient’s family. If the patient is present, information can be shared if the patient does not object. If the patient is incapacitated, the provider can still share information based on personal judgment, if the provider does not believe the patient would object. (However, health care records cannot be shared unless authorized in writing.)
You can not sue a doctor for violating HIPAA.
HIPAA does not create a private cause of action, which means you can not directly sue any doctor or medical provider, even if you think they violated HIPAA. In some states, you may be able to file a lawsuit on other grounds (for example, negligence or breach of implied contract), but such cases may be difficult to prove. You can also file a complaint with the Department of Health and Human Services’ Office for Civil Rights (OCR) or with your state attorney general, although many complaints are resolved through voluntary compliance or corrective action rather than stiff penalties. Furthermore, given the complexities of HIPAA (and also how frequently misunderstood it is), it may be beneficial to consult with a local attorney about your specific situation before making litigation threats.
 Technically, HIPAA only applies to organizations that conduct health care transactions electronically; however, today, this includes almost all organizations.
Disclaimer: This post is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this post or any of the e-mail links contained within the site do not create an attorney-client relationship between the author and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of any law firm or Psychology Today.