What HIPAA Isn't
Word of mouth has turned a narrow health-records law into a supposed health-privacy Bill of Rights.
It’s amazing how many misconceptions are on the loose about HIPAA, the federal health privacy law. You’ve probably heard someone claim it means businesses can’t ask you about your vaccination status. (They can.) Or that a store’s policy requiring masks is invalid for the same reason. (It isn’t.) One meme claims the “rule is simple, HIPAA protects EVERY American from disclosing ANY of their health records to ANYONE.” (Completely false.)
Somehow, word of mouth has taken a dull law passed 25 years ago, known mostly for generating paperwork for nurses, and turned it into some sweeping add-on to the Bill of Rights, except that for business people—from hair stylists to dance instructors—the imagined effect is to curtail their rights.
The mistakes often start with the law’s initials. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Notice there is no second word beginning with “P,” although the routinely misspelled version, “HIPPA,” would have you looking for one.
Notice also that the word that does begin with P is not privacy but “portability.” That’s a clue that the data privacy rules we talk about here weren’t even at the center of the law’s rationale at the time.
Let’s talk about the ways HIPAA is narrow. In general, its data-privacy obligations apply to “covered entities,” a legal term that includes many health care providers, insurers, and some related entities like clearinghouses that gather and retain health data. It doesn’t cover employers except insofar as they may enter the category in the course of such activities as operating a health plan.
What that means is unless the service they are offering is itself health care or the like, most businesses have no HIPAA obligations at all toward customers—that goes for restaurants, stadiums, and theaters, for example.
Next on the list of misconceptions is that HIPAA somehow bans asking you questions about your health. It doesn’t. Even businesses that are covered by the law, such as doctor’s practices, can in general ask you all the medical questions they please.
What they can’t do, without paying close attention to the law’s provisions, is let others see the resulting information. If your employer collects health data about you while running a health benefit plan, it must avoid disclosures you have not consented to.
That idea of consent is another place the memes go wrong. HIPAA is generally designed so its data-privacy rights are waivable; if you visit a doctor, you're probably asked to sign one or more forms to waive some or all of those rights. (An early nickname of the law among medical providers was “Huge Increase in Paperwork and Aggravation Act.”)
See the pattern? No one is violating HIPAA by asking if you’ve been vaccinated. Even if the law did cover them, they could hand you a form to sign. Much less does the law give you any rights to shop at a business or work for an employer that doesn’t want to deal with you.
Some other federal laws, like the Americans with Disabilities Act, do restrict employers from asking some medical questions, and also control how they store medical information. The relevance of these laws to asking about vaccination is limited, however. The Equal Employment Opportunity Commission has said a person’s state of not being vaccinated is generally not a disability, and that an employer’s inquiry about whether an employee has been vaccinated is generally not a disability-related question the ADA restricts.
Misconceptions about HIPAA remind me of something I call folk law—notions about law that bubble up without any encouragement from the legal profession and stubbornly persist among groups of believers, regardless of whether actual judges would give them the time of day. Ever heard the theory that you can copyright your own name and keep people from talking about you? Or how there is some century-old loophole, one that has somehow escaped the notice of judges, that makes paying federal income tax optional? How can legal theories that satisfying be wrong?
On HIPAA, as on much else, the adventurous notions of folk law can be more fun than the dull reality of law books. Just don’t use them to make real-world decisions.