What is the HIPAA Privacy Rule? A health law scholar explains

The Health Insurance Portability and Accountability Act’s Privacy Rule^[1] is a federal law prohibiting health care providers, businesses and the people working with them^[2] – including administrative staff, laboratories, pharmacies, health insurers and so on – from disclosing your health information without your permission.

When people talk about HIPAA, they typically refer to the Privacy Rule^[3] provision established in 2003, which is just one part of a broader law initially passed by Congress in 1996. The Privacy Rule came into force after tennis star Arthur Ashe’s HIV status was publicly revealed^[4] and country music star Tammy Wynette’s health records were sold^[5] to tabloids. People were starting to worry about genetic privacy. And Congress recognized that the internet would make it easier for health care privacy breaches to occur.

Why the HIPAA Privacy Rule matters

The HIPAA Privacy Rule gives you the right to control your health information disclosures so you can tell your health care provider what to share. If you don’t want to share some of your health information with your family members, you can tell your health care provider to withhold that information from them.

However, HIPAA only protects health care information held by specific kinds of health care providers. For example, health care data on your Apple Watch or Fitbit is not usually covered by HIPAA. Genetic data you enter on websites like Ancestry.com is also not covered by HIPAA. Other laws or agreements like the privacy disclosures required on many apps^[6] may protect that information, but HIPAA does not.

Sometimes people try to use HIPAA as an excuse for actions it doesn’t actually cover. For instance, some people who refused to comply with coronavirus-related mask rules in stores asserted that they couldn’t be asked to explain why because of HIPAA protections^[7]. But that’s not how this privacy law works: It’s legal for someone to ask you about your vaccination status. And anyone can provide information about their own vaccination status (or any personal health information) without violating HIPAA.

Are there exceptions to the HIPAA Privacy Rule?

Certain exceptions^[8] to HIPAA’s nondisclosure requirements allow covered health care providers to disclose patient information to help treat another person, protect public health and aid in certain law enforcement investigations.

During a pandemic, for instance, public health departments can provide information about how many people have tested positive for a disease, but they cannot mention specific names to the general public unless it’s necessary to alert particular people that they may have been exposed. This is because HIPAA and other privacy laws require them not to release any more information than is needed to keep people safe.

Portions of this article originally appeared in a previous article published on Oct. 15, 2020^[9].

The Conversation U.S. publishes short, accessible explanations of newsworthy subjects by academics in their areas of expertise.

References

1. ^{^} Health Insurance Portability and Accountability Act’s Privacy Rule (www.hhs.gov)
2. ^{^} health care providers, businesses and the people working with them (www.hhs.gov)
3. ^{^} Privacy Rule (www.ncbi.nlm.nih.gov)
4. ^{^} Arthur Ashe’s HIV status was publicly revealed (www.nytimes.com)
5. ^{^} Tammy Wynette’s health records were sold (www.cmt.com)
6. ^{^} privacy disclosures required on many apps (theconversation.com)
7. ^{^} couldn’t be asked to explain why because of HIPAA protections (www.usatoday.com)
8. ^{^} Certain exceptions (www.hhs.gov)
9. ^{^} previous article published on Oct. 15, 2020 (theconversation.com)