What HIPAA Isn’t

Word of mouth has turned a narrow health-records law into a supposed health-privacy Bill of Rights.

By
33

It’s amazing how many misconceptions are on the loose about HIPAA, the federal health privacy law. You’ve probably heard someone claim it means businesses can’t ask you about your vaccination status. (They can.) Or that a store’s policy requiring masks is invalid for the same reason. (It isn’t.) One meme claims the “rule is simple, HIPAA protects EVERY American from disclosing ANY of their health records to ANYONE.” (Completely false.)

https://www.instagram.com/p/CO1OcMbtFuX

Somehow, word of mouth has taken a dull law passed 25 years ago, known mostly for generating paperwork for nurses, and turned it into some sweeping add-on to the Bill of Rights, except that for business people—from hair stylists to dance instructors—the imagined effect is to curtail their rights. 

The mistakes often start with the law’s initials. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Notice there is no second word beginning with “P,” although the routinely misspelled version, “HIPPA,” would have you looking for one. 

Notice also that the word that does begin with P is not privacy but “portability.” That’s a clue that the data privacy rules we talk about here weren’t even at the center of the law’s rationale at the time. 

Keep reading with a free account
Create a free Dispatch account to keep reading Get Started ALREADY HAVE AN ACCOUNT? SIGN IN
33
By
Comments (33)
Join The Dispatch to participate in the comments.
 
  1. Lylegruby

    Sure, Walter, just give away all the rights our founders fought for!

    Collapse
  2. Kurt Von Fuchs

    OK this might sound stupid. But I find it comforting that so few people actually know what this law is I think that means that there are fewer people that have serious medical problems. Because anybody with a serious medical problem knows exactly what this law is.

    Collapse
  3. Avatar photo
    rlritt

    I love it!!! You are so right. My friend who is one those who really hunkered down in fear during the past year, finally went to the dentist and she asked her hygienist if she was vaccinated. The hygienist said that asking that was against HIPAA regulations. I said, "you can ask her anything you want about her hygiene and health status since she is literally putting her hands in your mouth." Wow, when you think people can't get any stupider, they surprise you.

    Collapse
  4. Avatar photo
    Man-Eating Cow

    My experience with HIPAA is that it prevented the psychiatrist working with our depressed son from telling us anything whatsoever about his condition or its progress. The kid lives in his room surfing the Web, and he has not spoken more than three words per day to me in years. And it seems like there is very little I can do about it.

    Collapse
    1. Avatar photo
      Kevin C. Smith

      I feel your pain on this one and I'm sorry to hear about your son. Keep in mind that your state may have laws that heighten the protection of mental health information as well, so it doesn't fall completely on HIPAA. I hope your son comes around to providing you authorization to secure his records and/or speak with his doctor. One suggestion may be to offer to limit the authorization to securing the protected information but not to disclose the information. This way, you can work with your son in his treatment but your son can rest assured that you will keep his information as private as he desires. Also, should the need ever arise, keep in mind that most states have some form of emergency mental health detention that can be employed if you think your son reaches a state where he is at risk of harming himself or others. I truly hope that is never the case, but I bring it up to spread awareness as knowing this option is available makes handling such situations a little easier.

      Collapse
    2. Avatar photo
      Ruby Girl

      My heart goes out to you, Man! We had to deal with psychiatrists and therapists with all 3 of our sons when they were teenagers and into their twenties. And that’s where HIPAA really sucks—when someone you care about is troubled and won’t sign a release so you can talk to their care provider. Unfortunately the office staff of providers rush you through all the forms where you agree to disclose your health information to a gazillion insurance companies and other agencies (including your employer, because most likely your employer self insures) but you have to make a special effort to agree to let any loved ones have access, and teenagers and troubled twenty somethings have radar for avoiding such disclosures. Hopefully your son will realize who really cares about his welfare and future — you!

      Don’t get me started about the challenges of the psychiatric profession! We were lucky to find one or two good psychiatrists along the way, but I’d sooner trust a witch doctor than most of them!

      Collapse
    3. GregS

      That's not even HIPAA but just regular old medical ethics.

      Collapse
  5. Melissa Feagins

    This article is largely correct, but nurses don't do this paperwork except on very small private practice. I work in revenue cycle for a rural healthcare system and we have teams of pre-service people who check you in, verify your insurance, and deal with all of the paperwork so that our nurses are free to think about you.

    Collapse
  6. Avatar photo
    Jen

    Thank you for explaining this. I work for a health insurance company. It’s so frustrating when people throw out the HIPAA acronym without knowing exactly what it means.

    Collapse
  7. Phil Rexroth

    The stubborn persistence of folk law points to a real issue, which is the vast sweep and complexity of our various legal statutes and codes. HIPAA is a great example: only specialists in the field really understand the law, and even then they likely only have true mastery of certain sections that are directly applicable to their professional lives. When the laws that govern us are impenetrable to laymen, of course something like folk law will arise to provide an easier-to-understand framework by which people can keep themselves on the right side of the law. Unfortunately, this means that we are all likely to be unwitting felons at some point…

    Collapse
    1. Tom (Inadvertent Obfuscation)

      The problem is exarcerabated when written laws work against the common good or have nothing to do with the common good. You cannot get by with just doing the right thing, so you stay far away from the electric fence, wherever it might be.

      Collapse
  8. Avatar photo
    Jake

    We have friends at our former church that won’t get vaccinated, but are going to pretend they are so they can stop wearing masks. They are the same people that believe this folk law. The lack of education and critical thought in this world is astounding. How did we ever get out of the dark ages? That seems like such a natural state for humankind.

    Collapse
    1. Avatar photo
      rlritt

      My friend's husband got covid a few weeks ago, after being vaccinated for 2 months. He got it from an unvaccinated person not wearing a mask. I heard the same thing happened to Bill Maher just recently. If you have covid you can spread it to others.

      Collapse
  9. Avatar photo
    Denise Cote

    I worked for a large health insurance company for 25 years. This is exactly right: the burden is on health care providers, insurers, and one's employer to avoid disclosing a person's health information without their consent.

    Collapse
  10. Avatar photo
    Kevin C. Smith

    This is a great article but I want to caution that many states have enacted laws that mirror and then build on HIPAA, making it illegal to publicize PHI (e.g., Texas). They expand the restrictions on revealing PHI to individuals, making a social media post like “Joe was diagnosed with COVID” a violation subject to heavy fines.

    Collapse
    1. Avatar photo
      Jason Gibson

      This is true. The standard is that whichever law state or federal is more strict is the one you are bound by

      Collapse
    2. Avatar photo
      Aylene Wright

      Good point that state and local laws can differ from, and actually be *stricter* than federal law! I think that especially on the Right there is an assumption that it's "the Feds" who are responsible for 99% of "burdensome regulations".

      Collapse
      1. Avatar photo
        Kevin C. Smith

        Absolutely. This happens all the time.

        Collapse
    3. GregS

      Can you provide a reference for that Texas law? I live in Texas and hadn't heard of it... I found HB300 but it doesn't seem to expand HIPAA to individuals who didn't themselves collect your health info.

      Collapse
      1. Avatar photo
        Kevin C. Smith

        HB300 is exactly what I'm referring to. Under HB300, the definition of a "covered entity" was expanded to include "any entity or individual" that "possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits" PHI. You don't have to collect the info--you can just come into possession of that information. And the potential fines for disclosing that information are severe. There are a couple of other Texas statutes that also protect PHI (although defined more broadly), especially mental health and substance abuse information (one Texas statute actually provides a private cause of action to an aggrieved individual, unlike HB300).

        Collapse
        1. Avatar photo
          rlritt

          Does it say you can't ask a person directly what their health condition is? Can a girl ask a guy if he has herpes? That information might be important for her health?

          Collapse
          1. Avatar photo
            Kevin C. Smith

            I don’t see anywhere in the law where someone is prohibited from asking a person directly about their medical condition. There are 2 places where you need express written authorization (1) to request PHI from a third party (i.e. the girl asking the guy’s doctor if he has herpes); and (2) to disclose PHI you possess.

            Collapse
        2. GregS

          I am not a lawyer (of course), but to me, "possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits" wouldn't cover a situation where my neighbor told me at a Memorial day cookout that she'd had COVID.
          Those words (e.g. possesses, obtains) still sound to my untrained-in-the-law ear like they are referring to very specific actions.
          I'm curious - is there any case law saying that this bill applies to individuals who learn about some private health info in this manner?

          Collapse
          1. Avatar photo
            Kevin C. Smith

            I appreciate your interest. I am a Texas practitioner and I recently was engrossed in this area of Texas law in a matter of which I was involved. In fact, just last week I spent many hours researching this very issue and attended a hearing in front of an associate judge who answered this very question. For privacy reasons, I don't want to reveal more information and I understand how this sounds self-serving and anecdotal but it's true nonetheless. I will say that the week before, in front of another judge, I also secured a temporary restraining order against an individual who had disclosed and was continuing to disclose PHI (injunctive relief is authorized under the Act--just not an action for damages; another Texas statute, however, does authorize an action for damages related to wrongful disclosure).

            There is scant case law related to the Act likely due to the fact there is no private cause of action (for damages) for those aggrieved by violations of HB300. Instead, the Texas AG is empowered to investigate consumer complaints, determine whether HB300 was violated, and issue statutorily-prescribed fines. I would bet that the Texas AG does not often pursue individuals who post on Facebook that their neighbor has COVID--but that does not mean the practice is legal.

            Let me quote from the codified statute for some level setting.

            A "covered entity" means, among other things, "any person who . . . comes into possession of protected health information . . . ."

            "Disclose" means "to release, transfer, provide access to, or otherwise divulge information outside the entity holding the information."

            Also, "protected health information" is: "(1) . . . any information that reflects that an individual received health care from the covered entity; and (2) is not public information and is not subject to disclosure under [the Public Information Act]."

            In addition to other requirements, the Act mandates that covered entities (i.e. individuals possessing PHI) provide notice before disclosing any PHI (with exceptions not applicable here). And notice must be provided to an aggrieved person if the covered entity wrongfully discloses (whether negligently or intentionally) PHI and/or "sensitive personal information" (SPI). SPI is not defined under the Act, but the Legislature incorporated a definition found in the Business and Commerce Code. There, SPI includes, among other things, "an individual's first name or first initial and last name" combined with any PHI, a social security number, or a driver's license or government-issued ID number. SPI also includes "information that identifies an individual and relates to: (a) the physical or mental health or condition of the individual; (b) the provision of health care to the individual; or (c) payment for the provision of health care to the individual."

            To comply with the Act, a covered entity must (again, among other things) secure express written authorization to disclose or otherwise make public any PHI or SPI.

            The plain language of the statute is broad and unquestionably covers your neighbor/cookout scenario (and it would cover PHI/SPI of your spouse/family as well). But as I said above, the Texas AG doesn't go after everyone. Indeed, it appears that in 2016 the AG instituted only 214 enforcement actions out of the 999 complaints received. Again, it is likely that the AG's exercise of prosecutorial discretion eliminates most complaints related to one-off individual disclosures like your neighbor/cookout scenario. I'm sure the AG's limited resources are spent mostly on medical providers and repeat offenders.

            But it'd be much more prudent to follow the law and not rely on your neighbor's ignorance and/or the AG's prosecutorial discretion.

            My unsolicited legal advice would be to keep any PHI/SPI to yourself no matter where or how you come into that information. And remember, this is not just information gleaned from a medical record. It could be a diagnosis, the name of a provider, or even symptoms that could identify someone's illness. Also remember that many states (Texas included) have extra protections for mental health and/or substance abuse information. So if your neighbor also shares at the cookout that they're not drinking beer this year because they're a recovering alcoholic, that's not to be disclosed elsewhere.

            I'd like to think that all of this makes a lot of sense. We do have a right to privacy, and there are few things more private than someone's healthcare information. So even absent HIPAA or a state's healthcare privacy law, common sense combined with respect for others' dignity should make everyone think twice before disclosing someone else's private healthcare information.

            Collapse
Load More