In WhoWhatWhy’s occasional series, “What’s the Deal With…?” we look at current topics everyone’s talking about but many of us don’t fully understand. Not to worry — we’re here to guide you through the forest to help you better understand the issues facing us today and be better armed to make your own decisions.
With an increasing number of states implementing vaccine mandates and reinstating indoor mask requirements, people have started citing HIPAA to avoid disclosing information about their health or vaccination status to government entities, businesses, and other individuals. Today, on the 25th anniversary of HIPAA’s passage, we take a look at what HIPAA means, to whom it applies, and why it has nothing to do with mask and vaccine requirements.
A Brief History
The Health Insurance Portability and Accountability Act (HIPAA) was passed into law under the Clinton administration on August 21, 1996. While the law contains five sections, the part typically cited by the public is the Privacy Rule.
The HIPAA Privacy Rule, which went into effect in 2003, regulates the use and disclosure of protected health information (PHI) by certain “covered entities.” These include health insurers, medical providers, health facilities, or any other organization that processes health care data. PHI includes any information regarding health status, provision of care, or health care payment that can be linked to an individual. For instance, if a health plan revealed information about your diagnosis in conjunction with your name without your permission, that would be a HIPAA violation.
HIPAA encapsulates a wide range of topics related to health insurers including protecting coverage for workers changing or losing their jobs; establishing national standards for electronic transactions; and setting guidelines for pretax medical spending accounts, group health plans, and life insurance policies. The Privacy Rule, however, is what people typically refer to when they invoke HIPAA.
No, That Doesn’t Break HIPAA
In order to break HIPAA’s Privacy Rule, you must be a covered entity and you must reveal PHI. If you call your friend’s primary care physician to find out about your friend’s vaccination status, and the physician reveals that information to you, that would be a breach of HIPAA because the physician is a covered entity under the Privacy Rule.
However, if a nurse told someone that they administered the COVID-19 vaccine to someone without revealing any identifying information (i.e., name, phone number, address), that would not be a HIPAA violation because no PHI was shared. If a family member revealed your medical diagnosis to someone, that would also not break HIPAA because they are not a covered entity.
Question: Have you yourself been vaccinated?
Greene: Your first question is a violation of my HIPAA rights pic.twitter.com/JuHDovV2mC
— Acyn (@Acyn) July 20, 2021
Asked if he is vaccinated, Cowboys QB Dak Prescott: “I don’t necessarily think that’s exactly important. I think that’s HIPAA.” pic.twitter.com/EKYI1t4A5S
— Michael Gehlken (@GehlkenNFL) July 23, 2021
HIPAA does not apply to most businesses or individuals because they are not considered covered entities. So anybody can ask you about your health status; it’s up to you whether or not you feel comfortable sharing that information.
As for the recent mask and vaccine requirements? Those aren’t HIPAA violations either. States, schools, and businesses are fully within their rights to enforce these mandates; they’re not covered entities under HIPAA. Your boss requiring you to get vaccinated, your state implementing a vaccine passport program, or your child’s school mandating masks — none of these is a HIPAA violation. So while getting asked by the hostess at your local pizza joint about your vaccination status may feel like a breach of personal privacy, it is not a breach of HIPAA or any other provision of law, no matter how loudly Marjorie Taylor Greene might protest.
Imaginary Acronyms, Imaginary Laws
The misconception that HIPAA applies to every person and all health information is widespread, and there is no shortage of misspellings only adding to the confusion.
HIPPA: You may have heard of a new law called the “Health Information Privacy and Portability Act,” or “HIPPA” for short. This is not real, but rather a common misnomer for the actual law.
Ah yes Hyppa, the Greek goddess of healthcare information ignorance
— Jeffrey Bedard, M.Sc. (@medethix) August 18, 2021
HYPPA: This is another incorrect spelling of HIPAA. It sounds like the name of a Greek goddess, but it’s actually the scientific name for a genus of moth. Regardless, it is not a real law.
HIPPO: While some people claim asking about their health status breaks their “HIPPO” rights, the term is shorthand for hippopotamus, a semiaquatic mammal native to sub-Saharan Africa.