When President Trump was hospitalized with COVID-19, his doctor pointed to “HIPAA rules and regulations” as the reason he couldn’t speak more freely about Trump’s condition. HIPAA is a medical privacy law, but people often misunderstand what it does and doesn’t do.
Margaret Riley is a law professor at the University of Virginia who specializes in health law. She spends a lot of time teaching future lawyers and medical professionals how medical privacy laws work. Here are the basics.
1. What is HIPAA and why did Congress pass it?
The Health Insurance Portability and Accountability Act’s Privacy Rule is a federal law that went into force in 2003. The need for such a law had been underscored when tennis star Arthur Ashe’s HIV status was revealed publicly and country music star Tammy Wynette’s health records were sold to tabloids for a few thousand dollars. People were also starting to worry about genetic privacy. And Congress recognized that the internet would make it easier for health care privacy breaches to occur.
The law prohibits health care providers and businesses and people working with them – including administrative staff, laboratories, pharmacies, health insurers and so on – from disclosing your health information without your permission. That includes information about your COVID-19 symptoms and test results – though there are some exceptions.
2. Is all my medical info protected by HIPAA?
No, HIPAA protects only health care information that is held by specific kinds of health care providers. For example, health care data that may be on your Apple Watch or Fitbit are usually not covered by HIPAA. Similarly, genetic data you enter on websites like Ancestry.com are not covered by HIPAA.
Even some apps that do things like help you maintain your blood sugar may not be covered by HIPAA if you aren’t using them at the direction of your health care provider. Other laws or agreements like the privacy disclosures required on many apps (although many people don’t read them) may protect that information, but HIPAA does not.
Employers are generally not covered health providers, so HIPAA does not apply to them. If necessary to protect others, your work could share that you have an illness. That said, other laws like the Americans with Disabilities Act may prevent your employer from disclosing identifiable health information about you that you may have shared with them.
3. Who can disclose what under HIPAA?
HIPAA gives you the right to control your health information disclosures so you can tell your health care provider what to share.
For example, you may be willing to have your health care provider share some of your health information with family members, but you might not want to share all of it; you can tell your health care provider not to share any stigmatizing information or procedures that your family might not know about. You need to be very clear with your health care provider if you want to exclude some information. Some information, like psychotherapy notes or giving your data to marketing companies, requires written authorization.
Sometimes people try to use HIPAA as an excuse for actions that it doesn’t in fact cover. In 2020, for instance, some people confronted with rules about wearing masks in stores assert that they don’t need to wear one and don’t need to explain why because of HIPAA. That’s not actually how this privacy law works.
4. Could my health care provider be required to disclose any of my info without my permission?
There are exceptions to HIPAA’s nondisclosure requirements. For example, HIPAA regulations allow covered health care providers to disclose patient information to help treat another person, to protect public health and for certain law enforcement purposes.
There are additional exceptions that apply during a pandemic. For instance, while health departments may have access to information about people in their district who’ve tested positive for COVID-19, HIPAA and other privacy laws require them not to release any more information than is needed to keep people safe. So, health departments will provide information about how many people have tested positive and how many people are hospitalized, but they won’t release any names to the general public. Health department contact tracers may reveal identities of individuals if it’s really necessary to alert specific people that they may have been exposed.
HIPAA covers President Trump just as it does you and me. There may be good reasons that people want to know more about the president’s health, but his health providers can provide the public only with information about his health that he has allowed them to share. They shouldn’t say anything that isn’t true, but they can certainly omit information.
5. What if someone violates my rights under HIPAA?
Only the government can bring a claim if an individual’s protected health information is breached. So to bring a federal claim, you would need to work with the Office of Civil Rights at the U.S. Department of Health and Human Services. You may be able to sue under state law and use the breach of your HIPAA rights as evidence.
Some people who are particularly worried about their privacy may ask health care providers to sign a nondisclosure agreement that gives them additional claims and the right to sue directly if there is a breach.