Are you a HIPAA entity? The “Privacy Law” May not Be What you Think

are-you-a-hipaa-entity-the-privacy-law-may-not-be-what-you-think

The first thing you should know about HIPAA is that it’s HIPAA, not HIPPA, as is commonly seen. There is only one “P,” and that “P” doesn’t stand for “privacy.”

If you have heard the acronym “HIPAA” (referring to the Health Insurance Portability and Accountability Act of 1996) thrown around a lot lately, you may be thinking, “do I really know what HIPAA means?” So many are using the term along with the falsehood that their legal or privacy rights can be violated in some way as more and more companies require COVID-19 vaccines to secure employment, to stay employed, and now, let’s face it, to enter certain public places or to travel.

Well, first, let’s clear up the confusion.

The first thing you should know about HIPAA is that it’s HIPAA, not HIPPA, as is commonly seen. There is only one “P,” and that “P” doesn’t stand for “privacy.”

“People make up what that acronym stands for,” said Deven McGraw, co-founder and chief regulatory officer of the medical records platform Citizen and former deputy director for health information privacy at the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), in a recent interview.

“More often than not, (they think it’s the) Health Information Privacy Protection Act: HIPPA,” he added. “Yeah, that law does not exist.”

But now, we see prominent figures like U.S. Rep. Marjorie Taylor Greene, or Dallas Cowboys quarterback Dak Prescott, or New England Patriots quarterback Cam Newton, all “invoking” their HIPAA rights. Green even claimed, more than once, that just asking a question about her vaccination status was somehow a “violation of her HIPAA rights.” Incorrect. As more and more employers and healthcare entities and even schools mandate that employees and students get vaccinated, we need to make sure we are clear on not only what HIPAA is, but how it is applied.

So, let’s get one big question out of the way first:

Is it a HIPAA violation for your employer to require vaccines?

No.

Nor is it a HIPAA violation for them to ask for proof that you have been vaccinated, although many seem to think that providing or even soliciting any sort of health information automatically becomes a HIPAA issue.

Employers do have to keep their employees’ vaccination statuses confidential, but that’s because of the Americans with Disabilities Act (ADA) – not HIPAA, which, again, doesn’t apply here.

Why is HIPAA so misunderstood?

Both the misspelling and the widespread belief that HIPAA confers a strict set of privacy protections to any and all health data – and that everyone is subject to those laws – are common, although these are frustrating mistakes: most patients only come across the term when signing the notice of privacy practices that the law mandates their healthcare providers have them sign. Plus, most people consider their health information to be very sensitive, and assume that their physicians and lawmakers have put the appropriate safeguards in place to keep it as private as possible. But HIPAA’s privacy rules are more limited than many may realize.

What is not well understood about HIPAA is its limits. It’s very specifically a law that regulates information that is collected because a person is seeking healthcare.

Normally, such a misunderstanding would be just an annoying misstep, but the pandemic has helped bring health privacy issues to the forefront. As with many other things over the past year, we’ve moved many of our health interactions to the virtual space, and with the Centers for Medicare & Medicaid Services (CMS) 1135 Waiver flexibilities under the Coronavirus Aid, Relief, and Economic Security (CARES) Act, some of those interactions may not be covered or protected by HIPAA – but many simply assume they are.

For example: if you are participating in a telehealth encounter with your physician and you are using a smart-phone application, such as FaceTime or Skype, as allowed under Waiver 1135 during the public health emergency (PHE), these platforms are not HIPAA-protected, and your physician must inform you of the potential risk of breach of your personal health information before you choose to continue with your visit. This also must be well-documented in the encounter that you were informed, by way of consent.

What has happened since about two to three months into the pandemic is that it has become increasingly politicized, and many people are citing “HIPAA rights” as an excuse to get out of mask mandates and to declare vaccine passports and mandates illegal. Neither of these assertions is true, but that hasn’t stopped many people from making them – even though using them to avoid public safety measures could be harmful to everyone. People have such a high level of confidence in believing misinformation that it is out of control in the COVID era.

The perception that HIPAA is solely a health privacy law that everyone is subject to has become so common that there’s a massive amount of confusion about to whom and what HIPAA actually applies; the sheer volume of bad information about it is nearly insurmountable.

Social media platforms have a been a problem, when attempting to give credible information. Trying to get people to understand what a “covered entity” or “business associate” is in 280 characters is not an easy task. These platforms can write the words, but of course, people will believe what they want, and if it is contrary to what they want it to mean, then the platform doesn’t lend itself well to a considered, nuanced discussion.

What HIPAA actually does

So, what does that one “P” stand for, if not privacy? Portability.

As noted, HIPAA is short for the Health Insurance Portability and Accountability Act. The 1996 law’s origins lie in creating federal standards for digitizing medical claims data and records (“Accountability”) and allowing employees to have health insurance coverage, including for preexisting conditions, when they change jobs (that’s the “Portability”): rights they did not have before the Patient Protection and Affordable Care Act (PPACA).

The privacy provision that most of us associate HIPAA with today wasn’t actually the focus of the law at the time. When Congress passed this law, they knew that on some level, there was going to be a massive digital transition to our health data in the future, and there might need to be privacy protections for that.

It took a few years to work those protections out, so HIPAA’s privacy rules weren’t issued until the end of 2000, and didn’t fully take effect until 2002. There was a recent update in 2013.

HIPAA only applies to what are called “covered entities.” Those are essentially healthcare providers (doctors, hospitals, and pharmacies, for instance), health insurers, and healthcare clearinghouses (which process medical data). It also covers their “business associates,” or contractors who must handle medical records in some way to do work for those covered entities. Those parties are required to follow certain protocols to keep your protected health information secure and private, especially in the digital transfer of patient health information.

This is why healthcare providers or insurers might require patients to communicate with them through secure, HIPAA-compliant channels and patient portals, or take other steps to verify a patient’s identity before discussing protected health information with them. HIPAA’s privacy rule also requires that healthcare providers give each patient a notice of their privacy practices, and allow patients to access their own medical records. In fact, a lot of HIPAA complaints from patients aren’t about privacy violations, but about lack of access to medical records, which led to the passage of the 21st Century Cures Act, to shift that focus to the OCR – the Office of Civil Rights.

What HIPAA doesn’t do

It’s important to note that medical privacy didn’t begin with HIPAA, and it’s not the only health privacy law out there. The concept of doctor-patient confidentiality has existed for a long time – it’s part of the Hippocratic Oath (which is not a law) – and that trust is a necessary part of good medical care.

Patients have to feel a level of comfort knowing that if they tell their personal physician some very private things, they will be kept that way, and this allows a physician to give the patient the right care and diagnose them properly.

At the same time, many people freely give away their health information to all kinds of places and platforms, and to people who have no real legal obligation to keep that information private or secure. With the Internet and social media, this is happening more than ever.

Consider this: if you’re recording your steps on a Fitbit or using a nutrition app, that’s not going to be covered by HIPAA. The creators of those are not HIPAA entities, and the companies can use that information to market to you athletic shoes or equipment, supplements, etc.

That amazing massage therapist appointment you tweeted about? Your vaccine card Instagram selfie? Your membership in a Facebook support group for people who have cancer? The period tracker app on your phone? The heart rate monitor on your wrist? Browsing WebMD for information about your recent COVID-19 diagnosis? The mail-order DNA test? The Uber trip you took to the emergency room? That’s all health information, most of it directly tied to you; it can be sensitive, and none of it is covered by HIPAA (unless protected health information is shared with a covered entity, like a hospital or physician who ordered it, requested it, and asked you to deliver it that way. Even then, it is sketchy).

And then we’ve got the organizations that handle health data but aren’t covered by HIPAA, including most schools, law enforcement, life insurers, and even employers. They may be covered by other privacy laws, but HIPAA isn’t one of them.

A big hiccup to all this is that we are still under the federal PHE (some states have let their PHEs expire). So some things that actually are covered by HIPAA have been given a temporary enforcement waiver due to the pandemic. The Office of Civil Rights will not be enforcing its rule requiring healthcare providers to use HIPAA-compliant portals for telehealth (as long as patients were informed), nor will it require covered entities to use HIPAA-compliant systems to schedule vaccines – an issue that arose when some health services’ sign-up portals crashed, and the services turned to the event scheduling platform Eventbrite. Eventbrite is a good service for getting a lot of people signed up for an event in high demand, but it’s not HIPAA-compliant, and it uses a public forum.

The Office of Civil Rights has stated that enforcement discretion will remain in effect “until the Secretary of HHS determines that the public health emergency no longer exists, but again, patients need to be informed of this security risk, as outlined in the Cures Act and the CMS FAQ rule sheets.”

A Dose of Reality on HIPAA

Understand that if you go to Starbucks (not a covered entity) and refuse to wear a mask because you say you have a health condition, it is not a HIPAA violation if the barista asks you what that condition is, nor is it a HIPAA violation if Starbucks refuses service to you. They are a private business and not a HIPAA entity, and can enforce any rules they want that they feel protect public safety and their business, as long as it is not discriminatory to a protected class (i.e., race, religion, gender, disability, etc.).

If your doctor were to walk into that Starbucks and broadcast your health information to anyone within earshot, without your permission, that would be a HIPAA violation. It would also be a good time to consider changing doctors. Fortunately, HIPAA allows you to request your medical records and bring them to a new provider. And if someone else happened to record your doctor’s outburst and put it on TikTok, that’s not a HIPAA violation, even though it does include information that was once protected by HIPAA.

Additionally, someone asking if you’ve been vaccinated is not a HIPAA violation. In fact, it’s not a HIPAA violation for anyone to ask about any health condition you may have, although it might be considered rude. A business requiring you to show proof that you’ve been vaccinated before you can enter is not a HIPAA violation. Your employer requiring you to be vaccinated and show proof before you can go to the office is not a HIPAA violation. Schools requiring that students get certain vaccinations before they’re allowed to attend is not a HIPAA violation.

Oh, and vaccine passports – which the Biden Administration has already said it has no plans to mandate, but that could change in the future – are also not HIPAA violations.

Look at certain health records apps that are all the rage now, like New York’s Excelsior Pass (ePass); to use these, you are voluntarily giving the app permission to access your health records, and, as the disclaimer clearly states: “the website is not provided to you by a healthcare provider, so, as such, you are not providing protected health information for health care treatment, payment, or operations (as defined under Health Insurance Portability and Accountability Act (HIPAA)).” Does anyone read the fine print anymore?

So, HIPAA isn’t the all-inclusive health privacy law so many people assume it is, but that mass assumption suggests that such a law is both wanted and may be needed. HIPAA has a lot of gaps that a privacy law can and should fill. The pandemic has only made this more apparent.

What we need is for Congress to pass a comprehensive privacy law that sets limits on what companies can use this data for, how long they can keep it, and who they can disclose it to, without putting the burden of dealing with that on the individual.

U.S. Rep. Suzan DelBene (D-Wash.) is one of several lawmakers who have pushed for better health privacy protections during the pandemic, including as a co-sponsor of the Public Health Emergency Privacy Act, a bill that was introduced in both houses of Congress in 2020 and reintroduced in early 2021. Its premise is that it would protect digital health data collected for the purpose of stopping the pandemic (for instance, by contact tracing apps or vaccine appointment booking tools) from being used for unrelated purposes by the government or private businesses.

HIPAA provides some protections for our health information, but technology has advanced much faster than our laws.

In the meantime, if you have any question regarding whether or not you or another business or person is a “covered entity” and needs to comply with HIPAA standards, CMS has a tool to help healthcare providers and organizations determine whether or not they are considered a covered entity. The link is included below.

HIPAA Covered Entity Decision Tool

Did you know that HIPAA (Health Insurance Portability and Accountability Act)-covered entities must also comply with standards for electronic transactions – not just privacy and security provisions? The Centers for Medicare & Medicaid Services (CMS) offers a tool to help health care providers and organizations check whether or not they are considered HIPAA-covered entities.

Visit the CMS Administrative Simplification website to learn about the standards and operating rules that are required for electronic health care transactions conducted by HIPAA-covered entities.

For More Information: are you a hipaa entity the privacy law may not be what you think