Skip to content

What You Should Know About HIPAA

What You Should Know About HIPAAHIPAA, the acronym for the Health Insurance Portability and Accountability Act, has come up a lot since the beginning of the COVID-19 pandemic. You may have seen people on social media or news shows discussing their HIPAA rights regarding masks or vaccinations. In short, HIPAA is a federal law that protects patients’ sensitive health information from being disclosed without their knowledge or consent.

But how much do you really know about HIPAA and your rights? Today’s blog answers some questions and busts some myths.

What is HIPAA?

The federal Health Insurance Portability and Accountability Act of 1996 created national standards to protect the health information of patients from being disclosed without their consent or knowledge. The HIPAA Privacy Rule implements the requirements of HIPAA and, according to the CDC, ensures that “individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.”

What entities are subject to HIPAA?

Not everyone or every business is required to follow HIPAA rules. Deven McGraw, co-founder and chief regulatory officer of the medical records platform Ciitizen, told Vox, “I think generally, when you’re talking about interactions with the health care system, the likelihood that they’re protected by HIPAA is very strong. Now, where those things break down: Obviously, if you’re recording your steps on a Fitbit or you’re using a nutrition app, that’s not going to be covered by HIPAA.”

The CDC states that HIPAA applies to the following kinds of entities:

  • Healthcare providers, including any provider who electronically transmits health information like claims, benefit eligibility, referral authorizations, and other transactions
  • Health plans, including traditional health, dental, vision, and prescription drugs, HMOs, Medicare, Medicaid, Medicare+Choice, Medicare supplement insurers, and long-term care insurers
  • Healthcare clearinghouses, such as entities that receive and process individually identifiable health information
  • Business associates, including a person or organization using individually identifiable health information to perform their jobs for one of these entities

HIPAA also requires health care providers to give you a notice of their privacy practices, and a way for you to access your medical records (typically through a secure and compliant online private portal).

Can a business ask me about my COVID vaccination status?

So, what does this mean in real-life scenarios? Here are some examples related to the COVID-19 pandemic, courtesy of Vox.

  • If someone refuses to wear a mask in a Starbucks due to a health condition and the manager asks what that health condition is? Not a HIPAA violation.
  • If that person’s doctor happens to be in that Starbucks and tells the manager the person’s health condition without their permission? HIPAA violation.
  • If someone records this entire incident and posts the video online? Not a HIPAA violation.

Further, anyone inquiring about your vaccination status is not a HIPAA violation. This includes businesses, your employer, and schools and universities.

What about workers’ comp?

Welcome to the exception to the privacy rule – kind of. When you get hurt on the job and make a claim for workers’ compensation, you’ll be asked to release your medical records. But even this exception has its limits. For example, your employer’s insurance company can see your medical records, but your employer can’t.

This is a pretty tricky issue, but we’ve talked about it before: you can find more information on what HIPAA protects in a workers’ compensation claim here.

What if my doctor’s office gets hacked?

Data breaches don’t necessarily equate to a HIPAA violation, either. As HIPAA Journal explains:

Being HIPAA compliant is not about making sure that data breaches never happen. HIPAA compliance is about reducing risk to an appropriate and acceptable level. Just because an organization experiences a data breach, it does not mean the breach was the result of a HIPAA violation.

The [Department of Health and Human Services’ Office for Civil Rights] OCR breach portal now reflects this more clearly. Many data breaches are investigated by OCR and are found not to involve any violations of HIPAA Rules. Consequently, the investigations are closed without any action being taken.

So, if it turns out that your doctor’s office took no steps whatsoever to keep your data safe, then yes – it might be a HIPAA violation. But most of the time, data breaches are not. They’re just an unfortunate side effect of storing data online.

Can I sue my doctor for violating HIPAA law?

Not exactly. If you believe your HIPAA rights were violated, you cannot take legal action against your healthcare provider yourself. Instead, you must file a complaint with OCR. If you have any questions about this process, feel free to contact an experienced attorney.

Is HIPAA really protecting my information?

Vox talks to some experts who believe that, although HIPAA is a good start, Congress needs to fill the health information privacy gap. Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center (EPIC), said, “What we need is for Congress to pass a comprehensive privacy law that sets limits on what the companies can use this data for, how long they can keep it, who they can disclose it to, and doesn’t put the burden of dealing with that on the individual. The burden needs to be on the company that’s collecting the data to protect it and to minimize its use.”

It is important to understand your HIPAA rights, especially when you have been injured in an accident. You have the right to access your own medical records, and you have the right to know and give consent to whom your records are shared. If you have any concerns about your rights, contact Gainsberg Law in Chicago by calling 312-600-9585, or filling out our contact form. Initial consultations are free.