clock menu more-arrow no yes
Amanda Northrop/Vox

HIPAA, the health privacy law that’s more limited than you think, explained

You probably don’t know what HIPAA really means. Let’s fix that.

The first thing you should know about HIPAA is that it’s HIPAA, not HIPPA. There is only one P, and that P doesn’t stand for “privacy.”

“People make up what that acronym stands for,” Deven McGraw, co-founder and chief regulatory officer of the medical records platform Ciitizen and former deputy director for health information privacy at the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), told Recode.

“More often than not, [they think it’s] Health Information Privacy Protection Act: HIPPA. Yeah, that law does not exist.”

And yet, when reporters have asked whether an individual has been vaccinated, people at the top levels of government (Georgia Rep. Marjorie Taylor Greene, a repeat offender) and sport (Dallas Cowboys quarterback Dak Prescott) have invoked HIPAA. Greene has even claimed that just asking the question was somehow a “violation” of her “HIPAA rights.” As more employers and schools mandate that their employee and students get vaccinated, the HIPAA question is coming up again.

So let’s get one big question out of the way first:

Is it a HIPAA violation for your employer to require vaccines?

No.

Nor is it a HIPAA violation for them to ask for proof that you have been vaccinated, though many people seem to think that providing or even soliciting any sort of health information automatically becomes a HIPAA issue.

Employers do have to keep their employees’ vaccination statuses confidential, but that’s because of the Americans with Disabilities Act — not HIPAA, which, again, doesn’t apply here.

Why HIPAA is so misunderstood

Both the misspelling and the widespread belief that HIPAA confers a strict set of privacy protections to any and all health data — and that everyone is subject to those laws — are common and understandable mistakes: HIPAA is pronounced like “hippo” but with an “a,” and most patients only come across it when signing the notice of privacy practices that the law mandates their health care providers have them sign. Plus, most people consider their health information to be very sensitive and assume their lawmakers have put the appropriate guardrails in place to keep it as private as possible. But HIPAA’s privacy rules are more limited than they may realize.

“HIPAA has great branding because everyone knows it, even if they spell it wrong,” Lucia Savage, chief privacy and regulatory officer at Omada Health and former chief privacy officer at HHS’s Office of the National Coordinator for Health IT, told Recode. “What is not well understood is its limits. It’s very specifically a law that regulates information that is collected because a person is seeking health care.”

Normally, the misunderstanding would be an innocuous if annoying one. But the pandemic has helped bring health privacy issues to the fore. As with many other things over the past year, we’ve moved many of our health interactions online. Some of those may not be covered by HIPAA, but many people simply assume they are. And as the pandemic became increasingly politicized, many people cited HIPAA as an excuse to get out of mask mandates and to declare vaccine passports and mandates to be illegal. Neither of these assertions is true, but that hasn’t stopped many people from making them — even though using them to avoid public safety measures could be harmful to everyone.

“It sure seems to have gotten worse in the Covid era, because the misinformation that’s being promulgated through social media channels is wildly off-base and yet asserted with such a high level of confidence that people believe it,” McGraw said.

The perception that HIPAA is solely a health privacy law that everyone is subject to has become so common that there’s now a Twitter account to document it.

A few months into the pandemic, Bad HIPPA Takes — the misspelling is an intentional nod to how often people who claim to know the law get the acronym wrong — emerged. It was created by an anonymous former health care provider who told Recode they were sick of seeing rampant misinformation about HIPAA and concerned that it could cause harm.

The Bad HIPPA Takes account creator says some of the most common HIPAA inaccuracies over the past year have been about wearing masks, contact tracing, mandatory temperature checks, and, now, vaccine passports.

“There is a massive amount of confusion about who and what HIPAA actually applies to,” they said. “The sheer volume of bad information about it is nearly insurmountable.”

Suffice it to say, Bad HIPPA Takes has plenty of material to draw from for its nearly 20,000 followers. But actually informing the general public about what HIPAA does is another matter.

“Trying to get people to understand what a Covered Entity or Business Associate is in 280 characters is not an easy task,” the person who runs the account said. “I can write the words, but of course this platform doesn’t lend itself well to considered, nuanced discussion.”

What HIPAA actually does

So what does that one P stand for if not privacy? Portability, obviously.

HIPAA is short for the Health Insurance Portability and Accountability Act. The 1996 law’s origins lie in creating federal standards for digitizing medical claims data and records (“accountability”) and allowing employees to have health insurance coverage, including for preexisting conditions, when they changed jobs (that’s the “portability”) — rights they did not have before the Affordable Care Act.

The privacy provision that most of us associate HIPAA with today wasn’t actually the focus of the law at the time.

“When Congress was passing this law, they realized that there was going to be this massive digitization of health data, and there might need to be privacy protections for that,” McGraw said.

It took a few years to work those out, so HIPAA’s privacy rules weren’t issued until the end of 2000, and didn’t fully take effect until 2002. They were most recently updated in 2013.

There are several elements to HIPAA, including provisions to prevent health care fraud, simplify and standardize medical records, rules for pre-tax employee medical savings accounts, and to ensure continuous health insurance coverage for employees who lost or changed their jobs. For the purposes of this explainer, we’re focusing on the privacy rule, which falls under its administrative simplification section.

HIPAA only applies to what are called “covered entities.” Those are, essentially, health care providers (doctors, hospitals, and pharmacies, for instance), health insurers, and health care clearinghouses (which process medical data). It also covers their “business associates,” or contractors who have to handle medical records in some way to do work for those covered entities. Those parties are required to follow certain protocols to keep your protected health information secure and private.

And that’s why your health care provider or insurer might require you to communicate with them through secure, HIPAA-compliant channels and patient portals, or take other steps to verify your identity before discussing protected health information with you. HIPAA’s privacy rule also requires that health care providers give you, the patient, a notice of their privacy practices and allow you to access your own medical records. In fact, a lot of HIPAA complaints from patients aren’t about privacy violations but about lack of access to medical records.

If you think your HIPAA rights have been violated, you can complain to the HHS Office of Civil Rights. But — and this is another common misconception, as indicated by the above tweets — you can’t sue the alleged offender yourself. The Office of Civil Rights takes action, if warranted, for instance by issuing fines or even criminal penalties to offenders.

What HIPAA doesn’t do

It’s important to note that medical privacy didn’t begin with HIPAA, and it’s not the only health privacy law out there. There are other laws that protect certain types of health information: Some states have their own stricter medical privacy laws, or things like the Americans With Disabilities Act, which mandates that employers must keep disability-related medical information about their employees confidential. And the concept of doctor-patient confidentiality has existed for a long time — it’s part of the Hippocratic Oath (which is not a law) — and that trust is a necessary part of good medical care.

“If I’m the doctor and you’re the patient, you come to me, you might tell me some really secret things,” Savage said. “And I need to know that to give you the right care and diagnose you properly.”

At the same time, many of us freely give away our health information to all kinds of places and people who have no real legal obligation to keep that information private or secure. With the internet, there are more ways to do that than ever.

“I think generally, when you’re talking about interactions with the health care system, the likelihood that they’re protected by HIPAA is very strong,” McGraw said. “Now, where those things break down: Obviously, if you’re recording your steps on a Fitbit or you’re using a nutrition app, that’s not going to be covered by HIPAA.”

That therapist appointment you tweeted about? Your vaccine Instagram selfie? Your membership in a Facebook support group for people who have herpes? The period tracker app on your phone? The heart rate monitor on your wrist? Browsing WebMD for information about your recent lupus diagnosis? The mail-order DNA test? The Uber trip you took to the emergency room? That’s all health information, most of it is directly tied to you, it can be sensitive, and none of it is covered by HIPAA (unless protected health information is shared with a covered entity, as is the case with some digital health services).

And then we’ve got the organizations that handle health data but aren’t covered by HIPAA, including most schools, law enforcement, life insurers, and even employers. They may be covered by other privacy laws, but HIPAA isn’t one of them.

And right now, even some things that actually are covered by HIPAA have been given a temporary enforcement waiver due to the pandemic. The Office of Civil Rights will not be enforcing its rule requiring health care providers to use HIPAA-compliant portals for telehealth, nor will it require covered entities to use HIPAA-compliant systems to schedule vaccines — an issue that arose when some health services’ sign-up portals crashed and the services turned to Eventbrite. Eventbrite is a good service for getting a lot of people signed up for an event in high demand, but it’s not HIPAA-compliant. The Office of Civil Rights told Recode that enforcement discretion will remain in effect “until the Secretary of HHS determines that the public health emergency no longer exists.”

All this is to say that if you go to Starbucks (not a covered entity) and refuse to wear a mask because you say you have a health condition, it is not a HIPAA violation if the barista asks you what that condition is, nor is it a HIPAA violation if Starbucks refuses service to you.

If your doctor were to walk into that Starbucks and broadcast your health information to anyone within earshot without your permission, that would be a HIPAA violation. It would also be a good time to consider changing doctors. Fortunately, HIPAA allows you to request your medical records and bring them to a new provider. And if someone else happened to record your doctor’s outburst and put it on TikTok, that’s not a HIPAA violation, even though it does include information that was once protected by HIPAA.

“The protections don’t cling to the data and protect it all the way downstream,” McGraw said.

Additionally, someone asking if you’ve been vaccinated is not a HIPAA violation. In fact, it’s not a HIPAA violation for anyone to ask about any health condition you may have, though it might be considered rude. A business requiring you to show proof that you’ve been vaccinated before you can enter is not a HIPAA violation. Your employer requiring you to be vaccinated and show proof before you can go to the office is not a HIPAA violation. Schools requiring that students get certain vaccinations before they’re allowed to attend is not a HIPAA violation.

Oh, and vaccine passports — which the Biden administration has already said it has no plans to mandate and which have been around for decades, if not longer — are also not HIPAA violations. Let’s look at New York’s Excelsior Pass. To use it, you are voluntarily giving the app permission to access your health records, and, as the app’s disclaimer clearly states: “[T]he website is not provided to you by a health care provider, so, as such, you are not providing protected health information for health care treatment, payment, or operations (as defined under Health Insurance Portability and Accountability Act (HIPAA)).”

That’s not to say there might not be other, non-HIPAA violations at play here. Certain anti-discrimination laws limit what medical information employers and businesses can require their employees or customers to provide, and they are mandated to make reasonable accommodations for qualifying health conditions. But even those other laws do not, as we’ve seen, mean that businesses have to allow unmasked people in their establishments or that they can’t require employees to get vaccinated (unless they have a medical or religious reason why they can’t be).

Closing the health privacy law gap

So HIPAA isn’t the all-inclusive health privacy law so many people assume it is, but that mass assumption suggests that such a law is both wanted and needed. HIPAA has a lot of gaps that a privacy law can and should fill. The pandemic has only made this more apparent.

“People are fairly protective of their health information,” Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center (EPIC), told Recode. “They just assume it would be covered because it’s absurd that it’s not.”

Experts believe this coverage must come from comprehensive federal privacy laws that include provisions for sensitive information, like health data, or for what could be considered sensitive uses of data.

“What we need is for Congress to pass a comprehensive privacy law that sets limits on what the companies can use this data for, how long they can keep it, who they can disclose it to, and doesn’t put the burden of dealing with that on the individual,” Fitzgerald said. “The burden needs to be on the company that’s collecting the data to protect it and to minimize its use.”

Savage said people who are concerned with health privacy laws might find a more productive use of their time in contacting their legislators to advocate for the health privacy laws they believe they are entitled to.

“For individual legislators to move on something, they have to understand why it’s important,” Savage said. “And that’s where the human stories come in. Even just an email to your legislator saying, ‘I had this thing happen and I was really worried, it made me vaccine-hesitant. Can you please fix this?’”

Rep. Suzan DelBene (D-WA) is one of several lawmakers who have pushed for better health privacy protections during the pandemic, including as a co-sponsor of the Public Health Emergency Privacy Act, a bill that was introduced in both houses of Congress in 2020 and reintroduced in early 2021. It would protect digital health data collected for the purpose of stopping the pandemic (for instance, by contact tracing apps or vaccine appointment booking tools) from being used for unrelated purposes by the government or private businesses.

“HIPAA provides some protections for our health information, but technology has advanced must faster than our laws,” DelBene told Recode. “The Public Health Emergency Privacy Act shows how we can protect consumers’ information during the pandemic, but I believe we need to go further since this issue permeates every part of our digital lives.”

DelBene recently introduced the Information Transparency and Personal Data Control Act, which includes added protections for sensitive information like health data. It’s one of what will likely be several consumer privacy bills introduced this session, any one of which could give Americans better health privacy protections. That is, of course, assuming any of them actually pass.

In the meantime, well, at least we have the Federal Trade Commission (FTC), which can — and has — gone after apps and websites that violated their own privacy policies, including a period tracker app.

And while Bad HIPPA Takes is no fan of how the law has been misinterpreted to erroneously declare that vaccine passports are illegal, they are concerned with where individual privacy (not HIPAA) rights stop and where a business’s property rights begin when it comes to those passports.

“If you live in rural America and Walmart is your only grocery store, do you just have to shop online forever, at additional cost and expense, because they decide to require vaccination to enter their stores?” they asked. “What if you are in that situation and are unbanked? The so-called digital divide could make things worse for a lot of people in the short term if implementation of a vaccine passport system is done recklessly.”

That’s not a HIPAA take, but it is a take worth considering.

Recode

Seems like everyone hates Instagram for kids

Recode

There’s a better way to protect yourself from hackers and identity thieves

Recode

Your most important vaccine passport questions, answered

View all stories in Open Sourced