The first thing you should know about HIPAA is that it is HIPAA, not HIPPA. There is only one P, and that P does not mean “privacy”.
"People are what this acronym stands for," said Deven McGraw, co-founder and chief regulatory officer of Ciitizen patient records platform and former deputy director of health information privacy for the Department of Health and Human Services (HHS) Civil Rights Office. (OCR) said Recode.
“Often (they think so) Health Information Privacy Protection Act: HIPPA. Yes, this law does not exist. "
Yet when reporters asked if a person was vaccinated, people at the highest levels of government (Georgia Rep. Marjorie Taylor Greene, a repeat offender) and sports (Dallas Cowboys quarterback Dak Prescott) have relied on HIPAA. Greene has even alleged that simply asking the question was somehow a "violation" of her "HIPAA rights". As more employers and schools require their employees and students to be vaccinated, the HIPAA question comes up again.
So let's get one big question out of the way first:
Is It a HIPAA Violation For Your Employer To Require Vaccines?
Also, asking for proof that you have been vaccinated is not a HIPAA violation, although many people seem to think that providing or even requesting health information automatically becomes a HIPAA problem.
Employers must keep their employees' vaccinated status confidential, but that's because of the Americans with Disabilities Act – not the HIPAA, which again doesn't apply here.
Why HIPAA is so misunderstood
Both the misspellings and the widespread belief that HIPAA provides strict privacy protection for all health data – and that everyone is subject to these laws – are common and understandable mistakes: HIPAA is pronounced like "hippo" but with an "a". "And most patients only encounter it when they sign the privacy notice that the law requires their healthcare providers to use. In addition, most people consider their health data to be very sensitive and assume that their legislators have put the appropriate guard rails in place to keep them as private as possible. But HIPAA's privacy rules are more limited than they might think.
"HIPAA is great branding because everyone knows it, even if it is misspelled," said Lucia Savage, Omada Health's chief privacy and regulatory officer and former chief privacy officer in the HHS office of the national health IT coordinator Recode. “What is not well understood are its limits. Specifically, it is a law that regulates information that is collected because a person is seeking health care. "
Usually the misunderstanding would be a harmless, if annoying, one. But the pandemic has helped bring health issues to the fore. As with a lot of other things over the past year, we've moved a lot of our health interactions online. Some of these may not be HIPAA, but a lot of people just assume they are. And as the pandemic became increasingly politicized, many people cited HIPAA as an excuse to get out of mask mandates and make vaccine passports and mandates illegal. Neither of these claims is true, but that hasn't stopped many people from making them – although using them to avoid public safety measures could be harmful to everyone.
"It certainly seems to have gotten worse in the Covid era, because the misinformation that is being disseminated via social media channels is completely wrong and yet it is claimed with such a high level of self-confidence that people believe it", said McGraw.
The perception that HIPAA is just a health protection act to which everyone is subject is so widespread that there is now a Twitter account to document it.
A few months after the pandemic, Bad HIPPA Takes popped up – the misspelling is an intentional nod to how often people who claim to know the law get the acronym wrong. It was created by an anonymous former healthcare provider who told Recode that they were tired of seeing rampant misinformation about HIPAA and feared it could cause harm.
Bad HIPPA Takes account creator says some of the most common HIPAA inaccuracies over the past year have involved wearing masks, tracking contacts, mandatory temperature checks, and now vaccine passports.
"There's a lot of confusion about who and what HIPAA actually applies to," they said. "The sheer amount of bad information about it is almost insurmountable."
Suffice it to say that Bad HIPPA Takes has plenty of material for its nearly 20,000 followers. But letting the public know what HIPAA is doing is another matter.
"Trying to get people to use 280 characters to understand what an insured entity or business partner is is not an easy task," said the person running the account. "I can write the words, but of course this platform is not well suited for a deliberate, nuanced discussion."
What HIPAA actually does
What does that one P stand for if not privacy? Portability, obviously.
HIPAA is short for Health Insurance Portability and Accountability Act. The origins of the 1996 Act lay in creating federal standards for digitizing data and records of medical claims ("accountability") and providing health insurance coverage for employees, including pre-existing medical conditions, when they change jobs (that is, "portability." “) – Rights that they did not have before the Care Allowance Act.
"When Congress passed this bill, it became clear to them that there was going to be this massive digitalization of health data, and that might have to be data protection," said McGraw.
HIPAA includes several elements, including provisions to prevent healthcare fraud, simplify and standardize medical records, regulate pre-tax medical savings accounts for employees, and ensure continued health coverage for employees who have lost or changed jobs. For the purposes of this explanation, we will focus on the data protection rule that falls under the administrative simplification section.
HIPAA only applies to so-called "covered companies". These are essentially service providers (e.g. doctors, hospitals and pharmacies), health insurance companies and clearinghouses in the healthcare sector (who process medical data). It also covers their "business partners" or contractors who need to handle medical records in any way in order to work for these Covered Companies. These parties must follow certain protocols to keep your protected health information safe and private.
Better yet, tell him you did it, then he'll demand you see your car card as evidence and hit him with a HIPPA lawsuit.
University for free !!!
– I'm going to get excited for pushing self-flexions (@ JASONWI72430456) April 14, 2021
If you believe your HIPAA rights have been violated, you can complain to the HHS Office of Civil Rights. But – and this is another common misconception, as the tweets above show – you cannot sue the alleged perpetrator yourself. The Office for Citizens' Rights intervenes if necessary, for example by imposing fines or even criminal sanctions against perpetrators.
What HIPAA doesn't do
It's important to note that medical privacy didn't start with HIPAA, and it isn't the only health protection law. There are other laws that protect certain types of health information: some states have their own stricter laws protecting medical privacy, or things like the Americans With Disabilities Act, which requires employers to keep disability-related medical information about their employees confidential. And the concept of medical confidentiality has long been around – it's part of the Hippocratic Oath (which is not law) – and that trust is a necessary part of good medical care.
"If I'm the doctor and you're the patient, come over and maybe tell me some really secret things," said Savage. "And I have to know this in order to properly care for you and to diagnose you correctly."
At the same time, many of us voluntarily share our health information with all sorts of places and people who have no real legal obligation to keep this information private or secure. With the internet there are more ways to do this than ever.
"I think when you talk about interactions with the health system, the likelihood that they are protected by HIPAA is generally very high," said McGraw. "Now that these things break down, if you are recording your steps on a Fitbit or using a nutrition app, of course that is not covered by HIPAA."
That therapist appointment you tweeted about? Your Instagram selfie about the vaccine? Your membership in a Facebook support group for people with herpes? The period tracker app on your phone? The heart rate monitor on the wrist? Are you searching WebMD for information about your most recent diagnosis of lupus? The mail order DNA test? The Uber ride to the emergency room? That is all health information, most of it is directly related to you, it can be sensitive and none of it is covered by HIPAA (Unless protected health information is shared with a protected facility, as is the case with some digital health services).
And then we have the organizations that handle health data but are not covered by HIPAA, including most schools, law enforcement agencies, life insurers, and even employers. They may be covered by other privacy laws, but HIPAA is not one of them.
And at the moment, even some things that are actually covered by HIPAA have been temporarily waived enforcement due to the pandemic. The Citizens' Rights Office will not enforce its requirement that healthcare providers use HIPAA-compliant portals for telemedicine, nor will it require affected institutions to use HIPAA-compliant systems for vaccine planning – an issue that arose when some health services signed-up portals crashed and the services turned to Eventbrite. Eventbrite is a good service for signing up lots of people for a high-demand event, but it's not HIPAA compliant. The Citizens' Rights Office told Recode that enforcement discretion remains "until the HHS secretary determines that the public health emergency no longer exists."
All of this means that if you go to Starbucks (not an insured company) and refuse to wear a mask for saying you have a health condition, if the barista asks you what that condition is, then it is not a HIPAA violation if Starbucks refuses to service you is a HIPAA violation.
If your doctor entered this Starbucks and shared your health information with anyone within earshot without your permission, it would be a HIPAA violation. It would also be a good time to consider changing doctors. Fortunately, HIPAA allows you to request your medical records and take them to a new provider. And if someone else records your doctor's outbreak and broadcasts it on TikTok, it is not a HIPAA violation, even if it contains information that was once protected by HIPAA.
"The guard doesn't cling to the data and protect it all the way down," said McGraw.
In addition, whether or not you have been vaccinated is not a HIPAA violation. In fact, asking about any health condition you may have is not a HIPAA violation for anyone, although it might be considered impolite. A company that requires you to prove that you have been vaccinated prior to entry is not a HIPAA violation. Your employer requires you to get vaccinated and provide proof before you can go to the office is not a HIPAA violation. Schools that require students to get certain vaccinations before they are allowed to attend are not a HIPAA violation.
Oh, and vaccine passports – which the Biden government has already said have no plans in place and which have been around for decades, if not longer – aren't HIPAA violations either. Let's take a look at New York's Excelsior Pass. To use them, you voluntarily give the app permission to access your health information and as the app's disclaimer clearly states, "(D) the website is not provided to you by a health care provider, so as such you are not protected Provide health information for health care treatments, payments, or surgery (as defined in the Health Insurance Portability and Accountability Act (HIPAA)). "
That's not to say that there may not be any other non-HIPAA violations at play here. Certain anti-discrimination laws restrict the medical information that employers and companies can request from their employees or customers, and they have an obligation to take reasonable precautions for qualifying health conditions. But even these other laws, as we have seen, do not mean that companies have to allow exposed persons in their operations or that they cannot require employees to be vaccinated (unless they have medical or religious reasons as to why they can not do this) be).
Closing the gap in health protection law
So HIPAA isn't the all-encompassing health protection law that many people adopt, but this mass adoption suggests that such a law is both wanted and needed. HIPAA has many loopholes that data protection law can and should fill. The pandemic has only made this clearer.
"People protect their health data pretty well," Caitriona Fitzgerald, assistant director of the Electronic Privacy Information Center (EPIC), told Recode. "They just assume it's covered because it's absurd that it isn't."
Experts believe that this coverage must come from extensive federal data protection laws that govern sensitive information, such as health data, or what is considered to be sensitive use of data.
“What we need is for Congress to pass a comprehensive data protection law that puts limits on what companies can use this data for, how long they can keep it, who they can share it with, and who don't care they care. "That on the individual," said Fitzgerald. "The burden has to be on the company that collects the data to protect it and minimize its use."
Savage said people studying health laws could potentially use their time more productively by contacting their lawmakers to advocate the health laws they believe they are entitled to.
"In order for individual lawmakers to make a difference, they need to understand why it matters," said Savage. “And this is where the human stories come into play. Even just an email to your lawmaker saying, 'I had this thing and was really concerned, it got me vaccinated. Can you fix that, please? ’"
MEP Suzan DelBene (D-WA) is one of several lawmakers who campaigned for better health data protection during the pandemic, including as a co-sponsor of the Public Health Emergency Privacy Act, a bill passed in both Houses of the Congress was presented in 2020 and will be reintroduced in early 2021. It would include digital health data collected for the purpose of containing the pandemic (ex.
"HIPAA provides some protection for our health information, but technology has advanced faster than our laws," DelBene told Recode. "The law on data protection in the event of public health emergencies shows how we can protect consumer information during the pandemic, but I believe we need to go further as this problem pervades every part of our digital lives."
DelBene recently introduced the Information Transparency and Personal Data Control Act, which provides additional protection for sensitive information such as health data. It is one of several consumer privacy laws presented at this session, each of which could offer Americans better privacy protection. That is, of course, provided one of them actually exists.
In the meantime, we at least have the Federal Trade Commission (FTC) that can and has track of apps and websites that violate their own privacy policies, including a period tracking app.
And while Bad HIPPA Takes is not a fan of how the law has been misinterpreted to falsely declare that vaccine passports are illegal, they do concern themselves with where individual privacy (non-HIPAA) rights end and where a company's property rights end in relation to these passes begin.
"If you live in rural America and Walmart is your only grocery store, then all you have to do is shop online forever, at an additional cost and expense, because they decide to require a vaccination to enter their stores?" They asked. “What if you find yourself in this situation and don't have a bank account? The so-called digital divide could make things worse for many people in the short term if the introduction of a vaccination record system is ruthless. "
This isn't a HIPAA take, but it's worth considering.