What HIPAA Isn’t

It’s amazing how many misconceptions are on the loose about HIPAA, the federal health privacy law. You’ve probably heard someone claim it means businesses can’t ask you about your vaccination status. (They can.) Or that a store’s policy requiring masks is invalid for the same reason. (It isn’t.) One meme claims the “rule is simple, HIPAA protects EVERY American from disclosing ANY of their health records to ANYONE.” (Completely false.)
Somehow, word of mouth has taken a dull law passed 25 years ago, known mostly for generating paperwork for nurses, and turned it into some sweeping add-on to the Bill of Rights, except that for business people—from hair stylists to dance instructors—the imagined effect is to curtail their rights.
The mistakes often start with the law’s initials. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Notice there is no second word beginning with “P,” although the routinely misspelled version, “HIPPA,” would have you looking for one.
Notice also that the word that does begin with P is not privacy but “portability.” That’s a clue that the data privacy rules we talk about here weren’t even at the center of the law’s rationale at the time.