HIPAA, the health privacy law that’s more limited than you think, explained

HIPAA, the health privacy law that’s more limited than you think, explained

2021-04-20 12:00:00

The first thing to know about HIPAA is that it is HIPAA, not HIPPA. There is only one P, and that P does not stand for & # 39; privacy & # 39 ;.

"People are making up what that acronym stands for," Deven McGraw, co-founder and chief regulatory officer of the medical records platform Ciitizen and former deputy director for health information privacy in the Department of Health and Human Services (HHS) Office for Civil Rights ( OCR), Recode said.

"More often than not, (they think it is) Health Information Privacy Protection Act: HIPPA. Yes, that law doesn't exist."

Both the misspelling and the widespread belief that HIPAA grants a strict set of privacy protections to all health data – and that everyone is subject to those laws – are common and understandable mistakes: HIPAA is pronounced 'hippo'. but with an & # 39; a, ”And most patients don't come across it until they sign the notice of privacy practices that their healthcare providers are required by law to sign. In addition, most people consider their health information to be highly sensitive and assume that their lawmakers have put in place the correct guardrails to keep it as private as possible. But HIPAA's privacy rules are more limited than they may realize.

"HIPAA has great branding because everyone knows it, even if they spell it wrong," said Lucia Savage, chief of privacy and regulators at Omada Health and former chief of privacy at HHS's Office of the National Coordinator for Health IT. . “What is not well understood are the boundaries. It is very specifically a law that regulates information that is collected because a person seeks medical care. "

Normally, the misunderstanding would be harmless, but also annoying. But the pandemic has helped bring privacy health concerns to the fore. As with many other things in the past year, we've moved many of our health interactions online. Some of these may not be covered by HIPAA, but a lot of people just assume they are. And as the pandemic became increasingly politicized, many people cited HIPAA as an excuse to get out of mask mandates and declare vaccine passports illegal. None of these claims are true, but that hasn't stopped many people from making them – even though using them to avoid public security measures can harm everyone.

"It certainly seems to have gotten worse in the Covid era because the misinformation being spread through social media outlets is vastly off-base and yet with such a high level of confidence it is claimed that people believe it," said McGraw.

The perception that HIPAA is solely a health privacy law to which everyone is subject has become so common that there is now a Twitter account to document it.

A few months after the pandemic, Bad HIPPA lasts – the misspelling is a deliberate nod to how often people who claim to know the law get the acronym wrong – came up. It was created by an anonymous former health care provider who told Recode they were tired of seeing rampant misinformation about HIPAA and feared it could cause harm.

The creator of the Bad HIPPA Takes account says some of the most common HIPAA inaccuracies of the past year have to do with wearing masks, tracing contacts, mandatory temperature checks and, now, vaccine passports.

"There is a lot of confusion about who and what HIPAA actually applies," they said. "The sheer amount of bad information about it is almost insurmountable."

Suffice to say, Bad HIPPA Takes has plenty of material to draw from for its more than 11,000 followers. But educating the general public about what HIPAA is doing is another matter.

"Getting people to understand what a Covered Entity or Business Associate is in 280 characters is not an easy task," said the person who manages the account. "I can write the words, but of course this platform is not well suited for a well-considered, nuanced discussion."

What HIPAA actually does

So, what does that one P stand for if not privacy? Portability, of course.

HIPAA is an abbreviation for the Health Insurance Portability and Accountability Act. The origins of the 1996 Act lie in creating federal standards for digitizing medical claims data and records (& # 39; accountability & # 39;) and allowing employees to have health insurance, including for pre-existing conditions, when they changed jobs (that's the & # 39; transferability & # 39;) – rights they didn't have before the Affordable Care Act.

The privacy statement with which most of us associate HIPAA today was not really the focus of the law at the time.

"When Congress passed this bill, they realized there was going to be a massive digitization of health data, and that might require privacy protections," McGraw said.

It took a few years to elaborate, so HIPAA's privacy rules weren't enacted until the end of 2000 and didn't take full effect until 2002. updated in 2013.

HIPAA has several elements, including provisions to prevent healthcare fraud, simplify and standardize medical records, pre-tax medical savings account rules for employees, and to provide ongoing health insurance for employees who have lost or changed their jobs. For the purposes of this explanation, we focus on the privacy rule, which is covered by the privacy rule administrative simplification section.

HIPAA only applies to what is called "covered entitiesThese are essentially healthcare providers (for example doctors, hospitals and pharmacies), healthcare insurers and healthcare clearing houses (which process medical data). It also covers their "business partners" or contractors who need to handle medical records in some way to do work for those covered entities. Those parties are required to follow certain protocols to keep your protected health information safe and private.

Therefore, your healthcare provider or insurer may require that you communicate with them through secure, HIPAA compliant channels and patient portals, or take other steps to verify your identity before discussing protected health information with you. HIPAA's privacy rule also requires that healthcare providers provide you, the patient, with a notice of their privacy practices and give you access to your own medical records. In fact, many HIPAA complaints from patients are not about privacy violations, but about the lack of access to medical records.

If you believe your HIPAA rights have been violated, you can file a complaint with HHS Civil Rights OfficeBut – and this is another common misconception, as indicated by the tweets above – you can't sue the alleged perpetrator yourself. The Office of Civil Rights takes action when warranted, for example by imposing fines or even criminal penalties on violators.

What HIPAA doesn't do

It's important to note that medical privacy didn't start with HIPAA, and it's not the only health privacy law. There are other laws that protect certainly types of health information: some states have their own stricter medical privacy laws, or things like the Americans with Disabilities Act, that require employers to keep medical information about their employees with disabilities confidential. And the concept of doctor-patient confidentiality has been around for a long time – it's part of the Hippocratic Oath (which is not a law) – and that trust is a necessary part of good medical care.

"If I'm the doctor and you're the patient, you come to me and you might tell me some really secret things," Savage said. "And I need to know that in order to give you the right care and diagnose you."

At the same time, many of us freely give away our health information all kinds of places and people who don't really have a legal obligation to keep that information private or secure. With the Internet, there are more ways to do that than ever.

"I think when you talk about interactions with the health care system, chances are they are protected by HIPAA," said McGraw. Now, where those things break: if you track your steps on a Fitbit or if you use a nutrition app, of course, that's not covered by HIPAA. & # 39; & # 39;

That appointment with a therapist you tweeted about? Your vaccine Instagram selfie? Your membership in a Facebook support group for people with herpes? The period app on your phone? The heart rate monitor on your wrist? Browse WebMD for information on your recent lupus diagnosis? The mail order DNA test? The Uber trip you took to the emergency room? That's all the health information, most of it is directly tied to you, it can be sensitive, and none of it is covered by HIPAA (unless protected health information is shared with a covered entity, as is the case with some digital health services

And then we have the organizations that process health data but are not covered by HIPAA, including most schools, law enforcement, life insurance companies, and even employersThey may be covered by other privacy laws, but HIPAA is not one of them.

And right now, even some things that are actually covered by HIPAA have gotten a temporary exemption from enforcement because of the pandemic. The Office of Civil Rights will are not enforceable the rule requiring healthcare providers to use HIPAA compliant portals for telecare, neither will it require covered entities to use HIPAA compliant systems to schedule vaccines – an issue that arose when some health service sign-up portals crashed and they turned to Eventbrite. Eventbrite is a great service for getting a lot of people to register for an event that is in high demand, but it is not HIPAA compliantThe Office of Civil Rights told Recode that enforcement discretion will remain in effect "until the HHS Secretary determines that the public health emergency no longer exists."

All of this is to say that if you go to Starbucks (not a covered entity) and refuse to wear a mask because you say you have a health condition, it is not a HIPAA violation if the barista asks you what that condition is, and that Nor is it a HIPAA violation if Starbucks refuses service to you.

If your doctor were to walk into that Starbucks and pass your health information on to someone within earshot without your permission, Which would be a HIPAA violation. It would also be a good time to change doctors. Fortunately, HIPAA allows you to request your medical records and take them to a new provider. And if someone else happened to record your doctor's eruption and put it on TikTok, that's not a HIPAA violation, even if it contains information that was once protected by HIPAA.

"The protections don't stick to the data and protect it all the way downstream," said McGraw.

In addition, someone asking if you have been vaccinated is not a violation of the HIPAA. In fact, it is not a HIPAA violation for someone to ask you about your health status, although it could be considered rude. A company that requires you to demonstrate that you have been vaccinated before you can participate is not a violation of the HIPAA. Your employer asking you to be vaccinated and showing proof before you can go to the office is not a violation of the HIPAA. Schools requiring students to receive certain vaccinations before participating are not a violation of the HIPAA.

Oh, and vaccine passports – which the Biden government has already said has no plans to mandate and which have been around for decades if not longer – are also not HIPAA violations. Let's take a look at the Excelsior Pass in New York. To use it, you voluntarily give the app permission to access your medical records, and, as the app's disclaimer states clearlyTo: "(T) he website is not offered to you by a healthcare provider, so as such you are not providing any protected health information for treatment, payment, or healthcare operations (as defined in the Health Insurance Portability and Accountability Act (HIPAA))."

That's not to say there might not be other non-HIPAA violations at play here. Certain anti-discrimination laws limit the medical information that employers and companies can request from their employees or customers, and they are required to make reasonable adjustments for qualifying health problems. But even those other laws don't, as we've seen, mean business must admit unmasked people in their facilities or that they cannot require employees to be vaccinated (unless they have a medical or religious reason why they cannot).

Closing the gap in health law

So HIPAA is not the all-encompassing health privacy law, as many people think it is, but that mass assumption suggests that such a law is both desirable and necessary. HIPAA has many gaps that a privacy law can and must fill. The pandemic has only made this clearer.

"People protect their health information fairly," Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center (EPIC), told Recode. "They just assume it's covered because it's absurd that it isn't."

Experts believe that this coverage should come from comprehensive federal privacy laws that include provisions for sensitive information, such as health data, or what could be considered sensitive data uses.

“What we need is for Congress to pass a comprehensive privacy law that sets limits on what companies can use this data for, how long they can keep it, to whom they can disclose it, and not put the burden of dealing with it. with that on the individual, "Fitzgerald said." The burden must be placed on the company collecting the data to protect it and minimize its use. "

Savage said people concerned about health privacy laws may find a more productive use of their time by reaching out to their lawmakers to advocate for the health privacy laws they believe they are be entitled to.

"If individual lawmakers want to act, they need to understand why it's important," Savage said. "And that's where the human stories come in. Even an email to your legislator saying," I had this thing happened and I was really worried, it made me nervous about getting vaccinated. Can you please fix this? "

Rep. Suzan DelBene (D-WA) is one of several lawmakers who have pushed for better protection of health privacy during the pandemic, including as a co-sponsor of the Public Health Emergency Privacy Act, a bill passed in both Houses of Congress was filed in 2020 and reenacted in early 2021. It would protect digital health data collected to halt the pandemic (for example, through contact tracking apps or vaccine appointment booking tools) from use for unrelated purposes by the government or private companies.

"HIPAA provides some protection for our health information, but the technology has evolved faster than our laws," DelBene told Recode. "The Public Health Emergency Privacy Act shows how we can protect consumer information during the pandemic, but I think we need to move on as this issue pervades every part of our digital lives."

DelBene recently introduced the Information Transparency and Personal Data Control Act, which provides additional protection for sensitive information, such as health data. It is one of what will likely be several consumer privacy accounts that introduced this session, all of which could give Americans better privacy protections for their health. That is, assuming one of them actually succeeds.

In the meantime, at least we have the Federal Trade Commission (FTC), which can – and has – chased down apps and websites that violated their own privacy policies. including a period app

And while Bad HIPPA Takes isn't a fan of how the law has been misinterpreted to falsely declare vaccine passports illegal, they are concerned about where individual privacy rights (not HIPAA) end and where a company's property rights begin when it comes to those passports.

"If you live in rural America and Walmart is your only grocery store, do you just have to shop online forever, at an additional cost and expense, because they decide to require vaccinations to enter their stores?" they asked. “What if you are in that situation and don't have a bank account? The so-called digital divide can make things worse for many people in the short term if the implementation of a vaccine passport system is done recklessly. "

That's not a HIPAA shot, but it's worth considering.

Open source is powered by Omidyar Network. All open source content is editorially independent and produced by our journalists.


Leave a Reply

Your email address will not be published. Required fields are marked *