What is HIPAA? What the health privacy law does and doesn't protect

Adriana Belmonte
·Senior Distribution Editor
6 min read
82

The Health Insurance Portability and Accountability Act — otherwise known as HIPAA — has become a major topic of discussion amid the rollout of COVID-19 vaccines as some individuals who have been asked about their vaccination status claim that the question is a violation of HIPAA.

For example, when asked about his vaccination status, Dallas Cowboys Quarterback Dak Prescott said: “I don't necessarily think that's exactly important. I think that's HIPAA.” Congresswoman Marjorie Taylor-Greene (R-GA) made similar remarks after a reporter asked if she was vaccinated, stating that “with HIPAA rights, we don't have to reveal our medical records, and that also includes our vaccine records.”

These assertions are incorrect, according to Marc Haskelson, president and CEO of Compliancy Group, a company that assists health care institutions with achieving HIPAA compliance.

“Misunderstanding it is very common,” Haskelson told Yahoo Finance. “It’s really a shame because if people really understood its purpose, I think people would be much happier about its existence.”

GLENDALE, ARIZONA - AUGUST 13: Quarterback Dak Prescott #4 of the Dallas Cowboys watches from the sidelines during the first half of the NFL preseason game against the Arizona Cardinals at State Farm Stadium on August 13, 2021 in Glendale, Arizona. The Cardinals defeated the Dallas Cowboys 19-16. (Photo by Christian Petersen/Getty Images)
Dak Prescott, who claimed that a question about his vaccination status was a HIPAA violation, watches from the sidelines during the first half of the NFL preseason game against the Arizona Cardinals on August 13, 2021 in Glendale, Ariz. (Photo: Christian Petersen/Getty) (Christian Petersen via Getty Images)

Confusion about what HIPAA actually is and how it's implemented is common, which Haskelson attributed to the fact that the law's original definition pertained to the exchange of insurance and billing information between providers and insurance companies.

But in today’s world, he said, “it’s far more revolved around protecting privacy” — albeit with some caveats.

What is HIPAA?

HIPAA was implemented in 1996 by President Clinton as a way to “strike a balance that permits important uses of information, while protecting the privacy of people who seek care and healing.”

In other words, HIPAA is America’s primary health care privacy law.

“What it really is for us is the concept that your health information is yours, and it should be protected by anybody who interacts with [it],” Haskelson said. “The original history of HIPAA was really around abuse of people’s private health care information. It’s everything from your name, your Social Security number, to things like a picture of your eyeball during a surgical procedure.”

That information, he explained, is very valuable.

“What it does is it’s supposed to be a set of standards that says anybody who’s involved with your information — whether it’s a doctor’s office or a billing company — everybody involved is supposed to maintain a minimum standard around privacy and secure the information,” Haskelson said. “That’s the purpose.”

Not all entities are bound by HIPAA. According to HIPAA Journal, the law applies to “the majority of workers, most health insurance providers, and employers who sponsor or co-sponsor employee health insurance plans.” Those who do not have to abide by HIPAA include life insurers, most schools and school districts, many state agencies, most law enforcement agencies, and many municipal offices.

HIPAA also contains an exception for the disclosure of public health activities, which recognizes the need to report vital events like births and deaths as well as information on the spread of infectious diseases.

City of Long Beach Public Health employees enter vaccine record information during a Covid-19 mobile vaccination clinic at the California State University Long Beach (CSULB) campus on August 11, 2021 in Long Beach, California. - Students, staff, and faculty at the California State University (CSU) and University of California (UC) system schools will be required to be fully vaccinated in order to attend in-person classes. All teachers in California will have to be vaccinated against Covid-19 or submit to weekly virus tests, the state's governor announced June 11, as authorities grapple with exploding infection rates. (Photo by Patrick T. FALLON / AFP) (Photo by PATRICK T. FALLON/AFP via Getty Images)
Employees enter vaccine record information during a COVID mobile vaccine clinic at California State University Long Beach campus on August 11, 2021. (Photo by Patrick T. FALLON / AFP) (PATRICK T. FALLON via Getty Images)

Another key provision of HIPAA is that it ensures that you have access to your personal health information and prohibits doctors from keeping that info from you. This is called “rights of access” and requires HIPAA-covered entities to provide individuals with their medical records, billing records, enrollment, payment, claims adjudication, and other related records upon request.

“It allows you as a consumer to call it that you have every right to see the information that’s contained about you and to modify it if it’s incorrect,” Haskelson said.

This is crucial if your information on file is incorrect since it can affect life insurance applications and other important forms, as was the case for Haskelson.

Haskelson once pulled a muscle in his rib cage and experienced pain while breathing as a result. After visiting his doctor, the physician recorded it as “chest pains” rather than a pulled muscle. When Haskelson went to update his life insurance two years later, he was denied because of that note on his record.

“Under HIPAA, I had the right to call my doctor’s office and say, ‘Could you please correct the record that I didn’t come there for chest pains, that I came there because of the cartilage and I needed a chest wrapper?’” Haskelson said. “It made it look like I had a heart attack, and therefore they wanted to deny me life insurance.”

A Covid-19 vaccine record card is seen at Florida Memorial University Vaccination Site in Miami Gardens, Florida on April 14, 2021. - Florida Division of Emergency Management has opened a new permanent vaccination site at Florida Memorial University. The walk-up site will administer 200 doses of Moderna vaccine per day to any Florida resident over the age of 18. (Photo by CHANDAN KHANNA / AFP) (Photo by CHANDAN KHANNA/AFP via Getty Images)
A Covid-19 vaccine record card is seen at Florida Memorial University Vaccination Site in Miami Gardens, Florida on April 14, 2021. (Photo by CHANDAN KHANNA / AFP) (CHANDAN KHANNA via Getty Images)

How does HIPAA work in the time of a pandemic?

So does HIPAA apply to COVID vaccination status?

The answer is no, according to Haskelson, because the coronavirus is a serious public health risk. Consequently, discussions around vaccination status or status of having COVID are also considered a matter of public health.

“This is like polio,” Haskelson said. “This is not subjective, how you feel about something. This is a world health risk. Whatever your political beliefs are or your religious beliefs are, this is to protect everybody.”

And while Haskelson didn’t think the vaccine question posed to Dak Prescott was necessarily appropriate, it wasn’t the HIPAA violation that Prescott claimed it was for two reasons: a medical provider wasn't being asked about Prescott's health information, and COVID is a public health issue anyway.

Furthermore, because COVID is a public health issue, businesses technically have the right to ask for proof of vaccination status from their customers and workers, with some limitations.

What I'm not allowed to ask is: ‘If you had COVID, what were the symptoms you had?’” Haskelson said. “Because that's your personal health information. But the concept of the vaccination — because I get asked all the time, ‘They won't let them back in school unless they get a vaccine and all that’ — and I'm like, 'Look, this is public health.'”

Adriana Belmonte is a reporter and editor covering politics and health care policy for Yahoo Finance. You can follow her on Twitter @adrianambells and reach her at adriana@yahoofinance.com.

READ MORE:

Follow Yahoo Finance on Twitter, Facebook, Instagram, Flipboard, LinkedIn, YouTube, and reddit

Advertisement