What is a HIPAA violation?
HIPAA doesn't ban anyone from asking, "Have you been vaccinated?" against COVID.
Late last month Republican Rep. Marjorie Taylor Greene, of Georgia, raised eyebrows around the country when she claimed that a reporter's question about her COVID-19 vaccination status was a "violation of my HIPAA rights."
Not even close, legal experts say.
The Health Insurance Portability and Accountability Act (HIPAA), a 1996 federal law, is a widely cited and misunderstood privacy statutes. In the age of COVID and questions about the disease and vaccines in the workplace, schools and elsewhere, debate over and misinformation about the law, which "gives you rights over your health information and sets rules and limits on who can look at and receive your health information," according to the Department of Health and Human Services (HHS), has taken on a whole new life.
"HIPAA is the tool the government uses to try and protect some of your personal health care information," explained Juan Morado, a health care regulatory and policy attorney at Benesch, Friedlander, Coplan & Aronoff, LLP. "It's a rule that prevents hospitals, health insurance companies, pharmacies, and health care companies from sharing certain protected health information (PHI) you provide them with anyone else without your permission."
In other words, the law primarily applies to health insurance companies and health care providers. Neither individual citizens nor most employers are considered "covered entities" under HIPAA, according to HHS.
"HIPAA's protection is incomplete," said Dr. M. Gregg Bloch, a professor of health law, policy and ethics at Georgetown Law. "The bottom line is that HIPAA is meant to provide some control for the consumer, for the patient, over how his or her information flows," he added.
"Here's the huge misunderstanding: What HIPAA does not do is stand in the way of anybody answering the question, 'Have you been vaccinated?'"
When asked about Greene's HIPAA comments, communications director Nick Dyer told ABC News, "It's none of the media's business. Privacy still exists in America, even though the fake news works every day to erode it."
Who and what falls under HIPAA?
Three main entities are covered under HIPAA: health care providers, health plans and health care clearing houses. Health care providers include doctors, clinics, mental health providers, dentists, nursing homes and pharmacies. Health plans include health insurance companies, HMOs, company health plans and government health care programs like Medicare and Medicaid. Health care clearing houses process health information.
A few practical examples of when the law would come into play: "Your doctor can't share your blood test results without your permission," Morado said. "A pharmacist isn't allowed to tell your employer if you're on medication without your permission."
What's NOT covered under HIPAA? (Read: Most health information disclosures are not HIPAA violations.)
Greene is far from the first to wildly misinterpret HIPAA.
Public relations departments and health care organizations are notorious for artfully misinterpreting the law, and claiming health information disclosures fall under HIPAA when they do not, in order to block information they'd prefer not to disclose to the public.
Bloch pointed to the early days of the pandemic, when U.S. nursing homes suffered major outbreaks. While nursing homes are covered entities under HIPAA, he explained, data needs to be identifiable in order to be protected for privacy reasons.
"The main misuse of HIPAA is by health care entities that want to hide the ball when they feel they have numbers that are going to make them look bad," Bloch said. So when health care journalists, for example, ask a nursing home for de-identified data about people who died there during an outbreak, HIPAA is not a relevant factor.
"That's utter nonsense," Bloch said of health care firms blocking requests for de-identified data by citing HIPAA. "HIPAA does not stand in the way of sharing that kind of data."
Widespread misinterpretations of HIPAA have also trickled down to ordinary citizens, who wind up thinking the law extends further than it does. "These things become on the surface, conventional wisdoms, and then people believe it," Bloch explained.
"Maybe a doctor's office doesn't want to bother with sharing a medical record, and so some assistant up front says HIPAA," he added. "He or she doesn't know what they're talking about. But the typical patient is not a lawyer, so the patient might not want to get into anything resembling a confrontational relationship with his or her doctor's office."
The result: The patient takes the incorrect information about HIPAA at face value and the myth proliferates. "Those are some of the ways that this mythology leeches into public space," Bloch said.
Other everyday situations that aren't covered under HIPAA: "If your boss/teacher asks if you're vaccinated, that's not covered by HIPAA," Morado said. Neither is your step count or heart rate recorded by an Apple Watch or Fitbit, he added.
"The biggest misconception is HIPAA protects all of your personal health care Information and that it applies to all businesses," Morado said. "HIPAA only protects information given to covered entities."
A non-exhaustive list of entities that are NOT covered by HIPAA, according to HHS:
At the end of the day, HIPAA is "porous, maybe even squishy," according to Bloch. It's also subject to politics and political interests. While the law was meant to protect patient privacy, "the players that saw their business strategies as vulnerable got into the game, and made sure that there was plenty of Swiss cheese," he said of HIPAA. In addition to being misinterpreted, the law has many loopholes that benefit the marketing and the pharmaceutical industries, for whom health care data is extremely valuable.
Bloch added, "HIPAA does not give us anything like complete control."