Business & Government

What Is the HIPAA Privacy Rule? A UVA Health Law Scholar Explains

Editor’s Note: As workplaces reopen, many employers are grappling with whether to require employees to be vaccinated or to impose mask mandates. Some have faced resistance in the form of false claims that being asked to disclose one’s vaccination status is a violation of the Health Insurance Portability and Accountability Act’s Privacy Rule, or HIPAA.
To explain the rule, Margaret (Mimi) Foster Riley, a professor of law, public health sciences, and public policy at the University of Virginia, wrote this piece for The Conversation. Riley has written and presented extensively about health care law, biomedical research, genetics, reproductive technologies, stem cell research, animal biotechnology, health disparities and chronic disease.

The Health Insurance Portability and Accountability Act’s Privacy Rule is a federal law prohibiting health care providers, businesses and the people working with them – including administrative staff, laboratories, pharmacies, health insurers and so on – from disclosing your health information without your permission.

When people talk about HIPAA, they typically refer to the Privacy Rule provision established in 2003, which is just one part of a broader law initially passed by Congress in 1996. The Privacy Rule came into force after tennis star Arthur Ashe’s HIV status was publicly revealed and country music star Tammy Wynette’s health records were sold to tabloids. People were starting to worry about genetic privacy. And Congress recognized that the internet would make it easier for health care privacy breaches to occur.

Why the HIPAA Privacy Rule Matters

The HIPAA Privacy Rule gives you the right to control your health information disclosures so you can tell your health care provider what to share. If you don’t want to share some of your health information with your family members, you can tell your health care provider to withhold that information from them.

Discovery and Innovation: NASA selects UVA researcher for asteroid mission

However, HIPAA only protects health care information held by specific kinds of health care providers. For example, health care data on your Apple Watch or Fitbit is not usually covered by HIPAA. Genetic data you enter on websites like Ancestry.com is also not covered by HIPAA. Other laws or agreements, like the privacy disclosures required on many apps, may protect that information, but HIPAA does not.

Sometimes people try to use HIPAA as an excuse for actions it doesn’t actually cover. For instance, some people who refused to comply with coronavirus-related mask rules in stores asserted that they couldn’t be asked to explain why because of HIPAA protections. But that’s not how this privacy law works: It’s legal for someone to ask you about your vaccination status. And anyone can provide information about their own vaccination status (or any personal health information) without violating HIPAA.

Are There Exceptions to the HIPAA Privacy Rule?

Certain exceptions to HIPAA’s nondisclosure requirements allow covered health care providers to disclose patient information to help treat another person, protect public health and aid in certain law enforcement investigations.

During a pandemic, for instance, public health departments can provide information about how many people have tested positive for a disease, but they cannot mention specific names to the general public unless it’s necessary to alert particular people that they may have been exposed. This is because HIPAA and other privacy laws require them not to release any more information than is needed to keep people safe.