Reprinted from the NYTimes – by Aishvarya Kavi July 24th
How the HIPAA Law Works and Why People Get It Wrong
The measure prohibits health professionals from revealing your medical records, but it is perfectly legal to ask whether someone has been vaccinated.As September beckons people back to the office and the highly infectious Delta variant of the coronavirus spreads rapidly across the country, workplaces are navigating a range of challenges, including whether to require employees to be vaccinated or to reimpose mask mandates.
Some, including Representative Marjorie Taylor Greene, Republican of Georgia, are resisting those calls, as she falsely claimed this week that disclosing vaccination status “was a violation of my HIPAA rights,” the federal regulation that protects confidential health information.The Health Insurance Portability and Accountability Act, known as HIPAA, governs the privacy of a patient’s health records, but it is legal to ask Ms. Greene about her medical history. Still, her assertion reflects a misperception that has spread across social media and fringe sites as online misinformation and misstatements about vaccines help fuel a resistance to being inoculated.Here’s a look at what privacy protections HIPAA offers and why it is so frequently misinterpreted.
What is HIPAA?
In 1996, President Bill Clinton signed into law HIPAA, a broad piece of health and privacy legislation that helped update and regulate how health insurance was sold and how personal medical information was stored as electronic processing took hold.
One aspect of the law, the privacy rule, makes it illegal for certain people and organizations, including health care providers, insurers, clearinghouses that store and manage health data and their business associates, to share a patient’s medical records without the patient’s explicit consent. Those parties handle patient health records on a daily basis.
Does the law make it illegal to ask a person’s vaccination status?
No. The law applies only to companies and professionals in the health care field, although some people may incorrectly imply otherwise, as Ms. Greene did in suggesting that the measure offered Fifth Amendment-like protection against revealing personal health information. HIPAA is extremely “narrow,” said I. Glenn Cohen, an expert on bioethics and health law with the Harvard School of Law. “Whenever anyone says to you ‘HIPAA prohibits that,’ ask them to point to the portion of the statute or regulation that prohibits it. They often won’t be able to do so.”
Moreover, nothing in the law prohibits asking about someone’s health, be it vaccination status or proof that such information is accurate.Regardless, some have turned to the law as a pretext to deflect those questions, even though HIPAA is not applicable to employers, retail stores or journalists, among other parties.In July, the lieutenant governor of North Carolina, Mark Robinson, falsely claimed on Facebook that President Biden’s door-to-door campaign to encourage vaccination and asking whether residents have been inoculated were “illegal” under HIPAA.
It is at your discretion to disclose whether you have been vaccinated. No federal law prevents companies from requiring their employees to be vaccinated, though there are certain exceptions if you have a disability or a sincerely held religious belief.
Why is HIPAA widely misunderstood?
Long before social media and fringe news sites disseminated harmful health misinformation, like whether masks work (they do) or whether the coronavirus vaccine will alter your DNA (it won’t), HIPAA and its use as a catchall excuse for privacy have often lent themselves to misinterpretation.
“I often joke that even though it is five letters, HIPAA is treated as a four-letter word,” Mr. Cohen said. Physicians, he said, have often used it as a reason not “to do something they don’t want to do, like providing a patient certain information by saying — perhaps believing it but being incorrect — ‘well, that would be a HIPAA violation.’”
Understand the State of Vaccine Mandates in the U.S.
-
- College and universities. More than 400 colleges and universities are requiring students to be vaccinated for Covid-19. Almost all are in states that voted for President Biden.
- Hospitals and medical centers. Many hospitals and major health systems are requiring employees to get the Covid-19 vaccine, citing rising caseloads fueled by the Delta variant and stubbornly low vaccination rates in their communities, even within their work force. In N.Y.C., workers in city-run hospitals and health clinics will be required to get vaccinated or else get tested on a weekly basis.
- Can your employer require a vaccine? Companies can require workers entering the workplace to be vaccinated against the coronavirus, according to recent U.S. government guidance.
But experts say politicians and public figures inflict further damage in perpetuating incorrect claims, allowing misunderstandings about HIPAA and vaccine skepticism to flourish.
“This rumor might not be specifically harmful in itself, but it’s part of a narrative that is harmful,” said Tara Kirk Sell, an assistant professor of health security at Johns Hopkins’s Bloomberg School of Public Health. “It is especially a problem when there’s an information void and in this case, it’s that people don’t know what HIPAA is.”
Ms. Greene has previously spread misinformation about HIPAA and about vaccines. Twitter suspended her account this week after she asserted that Covid-19 was not dangerous to young, healthy people — a claim that the Centers for Disease Control and Prevention has disproved.
“The HIPAA laws are real and they do something important,” Ms. Sell said. “The misinterpretation of what it’s all about just adds to this firestorm of anti-vaccine sentiment.”