The Health Insurance Portability and Accountability Act, or HIPAA, might be the most misunderstood and erroneously cited law in the history of the United States. I have seen a lot of people, including some who clearly should know better, invoking HIPAA during the pandemic for situations where it simply does not apply. Half the time, even the acronym itself is misspelled (it’s one “P” and two “A’s”, not the other way around). To paraphrase Inigo Montoya from The Princess Bride, people keep using that word, but it does not mean what they think it means. There is even a “Bad HIPAA Takes” account on Twitter, for those of you who want to see endless examples of this.
So what is HIPAA? The Center for Disease Control website defines it as the “federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” That seems straightforward enough. In reality, HIPAA is a very technical and complex area of the law, with some detailed executive branch regulations stemming from it, notably the Privacy Rule and the Security Rule promulgated by the Department of Health and Human Services (HHS). That could be why there is so much misinformation out there about it: most people are not going to be able to sift through all that material to verify or debunk what some self-proclaimed expert says on television or social media. And, to be fair, most of us probably do not need to know those details in our daily lives.
Much of the disinformation relates to whom HIPAA applies. The statutory term for this is “covered entity.” The primary covered entities are health care providers and health plans; in other words, medical professionals (doctors, nurses, and their staff) and insurance companies. Contractors who perform services for those entities and have to use or disclose confidential medical information in their duties also are under HIPAA’s umbrella. Here’s who is not a covered entity: pretty much everyone else. So if a business establishment like a restaurant or theater asks for proof of vaccination before letting someone in, that situation does not implicate HIPAA because such businesses are not covered entities. Even for covered entities, there are plenty of exceptions that allow disclosure, including one for public health authorities authorized by law to collect or receive such information to prevent or control disease. In the COVID-19 era, that exception is no doubt being utilized a great deal.
Another misconception is that people can sue over HIPAA violations. There is no private right of action under HIPAA. Although a covered entity can face an unpleasant enforcement action from HHS’s Office for Civil Rights resulting in significant penalties for noncompliance, the person whose data was compromised cannot bring a private suit. There is at least the theoretical possibility of a separate Constitutional or other statutory claim related to unauthorized disclosure of private medical information, but HIPAA itself does not provide that type of remedy.
The purpose of HIPAA is to enhance patient privacy and security, but it is not a catch-all for any claim of medical privacy. For more information, go to https://www.cdc.gov/phlp/publications/topic/hipaa.html.
