HIPAA: Don’t Let Me Be Misunderstood

HIPAA: Don’t Let Me Be Misunderstood




The Well being Insurance coverage Portability and Accountability Act (HIPAA) has by no means been essentially the most glamorous regulation; nevertheless, it has undoubtedly loved extra of a highlight lately with the COVID-19 pandemic and the ensuing measures related to responses to the general public well being danger. With public figures referencing HIPAA (together with NFL quarterback Dak Prescott and Georgia Consultant Marjorie Taylor Greene), HIPAA has change into nearly modern to invoke at any time when medical questions are raised.

Nonetheless, HIPAA is just not solely one of the crucial generally misspelled legal guidelines (it’s “HIPAA”—one P, two As) but additionally one of the crucial misunderstood. Quite than offering freewheeling safety of all vaguely medically-related info, the Well being Data Privateness and Accountability Act (HIPAA) was created to put a variety of necessities on very particular entities (extra on these under) to safeguard the Protected Well being Data (PHI) of sufferers, and to strictly management when PHI could be divulged and to whom. Beneath are seven shocking info about HIPAA that you could be contemplate earlier than invoking it your self.

PHI is outlined very broadly.

As talked about above, HIPAA protects Protected Well being Data, which can embody well being information, well being histories, lab check outcomes, and medical payments. Basically, all well being info is taken into account PHI if it consists of particular person identifiers. Surprisingly, demographic info might also be thought-about PHI, and likewise non-health widespread identifiers comparable to affected person names, Social Safety numbers, and delivery dates if they’re linked with well being info ultimately. Notably, PHI is barely protected by HIPAA whether it is tracked by particular entities (see under). So, for instance, your coronary heart price tracked by your Apple Watch is just not PHI lined by HIPAA, as a result of Apple is just not your well being care supplier!

HIPAA applies solely to “lined entities,” which embody medical suppliers and well being care plans.

The HIPAA Guidelines specify “lined entities” which are lined by HIPAA. Coated entities embody not solely medical doctors, but additionally clinics, dentists, chiropractors, nursing houses, pharmacies[1], medical health insurance corporations, firm well being plans, HMOs, and authorities packages that pay for well being care, comparable to Medicare and Medicaid. HIPAA additionally covers “enterprise associates” of any of those entities—in different phrases, one other entity that helps one in every of these lined entities perform its well being care actions or capabilities. Notably, a clarification of HIPAA in 2000 made clear that it additionally applies to therapists and counselors.

HIPAA solely applies to the extent that the lined entity is finishing up well being care capabilities. For instance, in case your employer is the plan sponsor of an employer well being care plan, then your employer—for PHI collected for that goal—is roofed by HIPAA. Nonetheless, in case your employer turns into conscious of health-related info in different methods—for instance, since you mentioned your situation with a colleague, or since you utilized for go away underneath the Household Medical Go away Act (FMLA)—that info wouldn’t be ruled by HIPAA. Nonetheless, it could be ruled by different medical privateness legal guidelines. For instance, the FMLA has its personal privateness provisions.

HIPAA doesn’t stop third events from asking about your vaccination standing (or different PHI).

Whereas vaccination standing does represent PHI, HIPAA solely applies to sure organizations and companies (well being care suppliers, well being plans, and so on.) It’s not a HIPAA violation for a restaurant or fitness center to ask for proof of vaccination. Nonetheless, it could be a HIPAA violation for a physician to reveal that info to the restaurant or fitness center with out the affected person’s consent.

HIPAA doesn’t apply to “incidental makes use of and disclosures.”

One widespread false impression about HIPAA is that it’s violated anytime PHI is compromised—for instance, if a affected person enters an examination room, and the doctor inadvertently clicks on the incorrect affected person’s profile in her pc, or if a affected person by chance overhears a dialog about one other affected person.

The HIPAA Guidelines allow sure incidental makes use of and disclosures of PHI to happen so long as the lined entity (on this case, the doctor) has in place affordable safeguards and minimal obligatory insurance policies and procedures to guard a person’s privateness. The laws acknowledge that many customary well being care communications and practices play an necessary and important function in guaranteeing that people obtain immediate and efficient well being care and that as a result of nature of those communications—and the varied environments through which people obtain well being care—the potential exists for well being info to be disclosed by the way. So, for instance, if a doctor has a dialog with a nurse a few affected person and one other affected person overhears, it’s not essentially a HIPAA violation except the incident is extra systemic (brought on by a scarcity of efficient insurance policies and procedures) relatively than a one-time inadvertent error.

HIPAA solely goes a technique.

HIPAA protects your PHI from being shared by your well being care supplier, well being care plan, and their enterprise associates. Nonetheless, you may all the time share your personal well being care info with whomever you select. It additionally doesn’t stop a 3rd social gathering from asking you for PHI, though it does prohibit lined entities from sharing your PHI (for essentially the most half) with third events with out your consent.

There are exceptions to HIPAA.

Underneath HIPAA, PHI can nonetheless be shared with out affected person authorization in sure circumstances, together with:

  • To forestall a critical and imminent menace
  • As essential to deal with the affected person (for instance, coordinating between suppliers, in session or referrals)
  • Guaranteeing public well being and security

Moreover, HIPAA doesn’t technically stop well being care suppliers from sharing details about a affected person with members of the affected person’s household. If the affected person is current, info could be shared if the affected person doesn’t object. If the affected person is incapacitated, the supplier can nonetheless share info based mostly on private judgment, if the supplier doesn’t imagine the affected person would object. (Nonetheless, well being care information can’t be shared except approved in writing.)

You can’t sue a physician for violating HIPAA.

HIPAA doesn’t create a personal reason for motion, which implies that you can’t immediately sue any physician or medical supplier, even in the event you suppose they violated HIPAA. In some states, you could possibly file a lawsuit on different grounds (for instance, negligence or breach of implied contract), however such instances could also be troublesome to show. It’s also possible to file a grievance with the Division of Well being and Human Providers’ Workplace for Civil Rights (OCR) or together with your state legal professional basic, though many complaints are resolved by means of voluntary compliance or corrective motion relatively than stiff penalties. Moreover, given the complexities of HIPAA (and likewise how regularly misunderstood it’s), it might be useful to seek the advice of with a neighborhood legal professional about your particular state of affairs earlier than making litigation threats.

[1] Technically, HIPAA solely applies to organizations that conduct well being care transactions electronically; nevertheless, at the moment, this consists of nearly all organizations.

Disclaimer: This put up is for informational functions solely and never for the aim of offering authorized recommendation. It’s best to contact your legal professional to acquire recommendation with respect to any specific difficulty or drawback. Use of and entry to this put up or any of the e-mail hyperlinks contained inside the web site don’t create an attorney-client relationship between the creator and the person or browser. The opinions expressed at or by means of this web site are the opinions of the person creator and will not replicate the opinions of any regulation agency or Psychology At this time.


Leave a Comment

Your email address will not be published. Required fields are marked *