What is HIPAA and How Does the Law Work?

As September beckons people back to the office and the highly infectious Delta variant of the coronavirus spreads rapidly across the country, workplaces are navigating a range of challenges, including whether to require employees to be vaccinated or to reimpose mask mandates.

Some, including Representative Marjorie Taylor Greene, Republican of Georgia, are resisting those calls, as she falsely claimed this week that disclosing vaccination status “was a violation of my HIPAA rights,” the federal regulation that protects confidential health information.

The Health Insurance Portability and Accountability Act, known as HIPAA, governs the privacy of a patient’s health records, but it is legal to ask Ms. Greene about her medical history. Still, her assertion reflects a misperception that has spread across social media and fringe sites as online misinformation and misstatements about vaccines help fuel a resistance to being inoculated.

Here’s a look at what privacy protections HIPAA offers and why it is so frequently misinterpreted.

In 1996, President Bill Clinton signed into law HIPAA, a broad piece of health and privacy legislation that helped update and regulate how health insurance was sold and how personal medical information was stored as electronic processing took hold.

One aspect of the law, the privacy rule, makes it illegal for certain people and organizations, including health care providers, insurers, clearinghouses that store and manage health data and their business associates, to share a patient’s medical records without the patient’s explicit consent. Those parties handle patient health records on a daily basis.

No. The law applies only to companies and professionals in the health care field, although some people may incorrectly imply otherwise, as Ms. Greene did in suggesting that the measure offered Fifth Amendment-like protection against revealing personal health information.

HIPAA is extremely “narrow,” said I. Glenn Cohen, an expert on bioethics and health law with the Harvard School of Law. “Whenever anyone says to you ‘HIPAA prohibits that,’ ask them to point to the portion of the statute or regulation that prohibits it. They often won’t be able to do so.”

Moreover, nothing in the law prohibits asking about someone’s health, be it vaccination status or proof that such information is accurate.

Regardless, some have turned to the law as a pretext to deflect such questions.

In July, the lieutenant governor of North Carolina, Mark Robinson, falsely claimed on Facebook that President Biden’s door-to-door campaign to encourage vaccination and asking whether residents have been inoculated were “illegal” under HIPAA.

But the law is not applicable to employers, retail stores or journalists, among other parties. No federal law prevents companies from requiring their employees to be vaccinated, though there are certain exceptions if you have a disability or a sincerely held religious belief.

Nor does it mean that you have to reveal whether you have been vaccinated. That is at your discretion to disclose.

Long before social media and fringe news sites disseminated harmful health misinformation, like whether masks work (they do) or whether the coronavirus vaccine will alter your DNA (it won’t), HIPAA and its use as a catchall excuse for privacy have often lent themselves to misinterpretation.

“I often joke that even though it is five letters, HIPAA is treated as a four-letter word,” Mr. Cohen said. Physicians, he said, have often used it as a reason not “to do something they don’t want to do, like providing a patient certain information by saying — perhaps believing it but being incorrect — ‘well, that would be a HIPAA violation.’”

But experts say politicians and public figures inflict further damage in perpetuating incorrect claims, allowing misunderstandings about HIPAA and vaccine skepticism to flourish.

“This rumor might not be specifically harmful in itself, but it’s part of a narrative that is harmful,” said Tara Kirk Sell, an assistant professor of health security at Johns Hopkins’s Bloomberg School of Public Health. “It is especially a problem when there’s an information void and in this case, it’s that people don’t know what HIPAA is.”

Ms. Greene has previously spread misinformation about HIPAA and about vaccines. Twitter suspended her account this week after she asserted that Covid-19 was not dangerous to young, healthy people — a claim that the Centers for Disease Control and Prevention has disproved.

“The HIPAA laws are real and they do something important,” Ms. Sell said. “The misinterpretation of what it’s all about just adds to this firestorm of anti-vaccine sentiment.”

Leave a Reply

Your email address will not be published. Required fields are marked *