In-Depth: Sorting out the confusion around what HIPAA covers

covid vaccine syringe shot
Posted at 11:05 AM, Aug 09, 2021
and last updated 2021-08-09 14:08:03-04

SAN DIEGO (KGTV) — As Americans navigate the COVID-19 vaccine and information, there's been some confusion and misinformation about what information the Health Insurance Portability and Accountability Act of 1996, or HIPAA, protects — and who is covered.

HIPAA went into effect in 1996 and while it's confusing in essence, it's actually pretty simple.

Former California Medical Association President, Dr. Ted Mazer, isn't surprised there is confusion surrounding HIPAA.

The law is aimed at protecting patient privacy, covering three entities, health care providers, health plans, and health care clearing houses. These groups cannot share sensitive information without permission. Some parts of HIPAA also cover business associates of covered entities.

"It's protecting personally identifiable personal or private health information. That's all it covers," said Dr. Mazer.

Information protected under HIPAA includes:

  • Information your doctors, nurses, and other health care providers put in your medical record
  • Conversations your doctor has about your care or treatment with nurses and others
  • Information about you in your health insurer’s computer system
  • Billing information about you at your clinic
  • Most other health information about you held by those who must follow these laws

HIPAA also affords certain rights to you as a patient when it comes to accessing your own information. Instances include:

  • Ask to see and get a copy of your health records
  • Have corrections added to your health information
  • Receive a notice that tells you how your health information may be used and shared
  • Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
  • Get a report on when and why your health information was shared for certain purposes
  • If you believe your rights are being denied or your health information isn’t being protected, you can
    • File a complaint with your provider or health insurer
    • File a complaint with HHS

A misconception is that HIPAA protects all health information for any reason, but that's not true.

Recently, Congresswoman Marjorie Taylor Greene refused to answer a question from a reporter about whether she got the COVID-19 vaccine, saying it was a violation of HIPAA. Dallas Cowboys quarterback Dak Prescott also cited HIPAA when asked about it. Both of these instances didn't reference HIPAA correctly.

"But in terms of HIPAA violation, none of this involves HIPAA, unless you're dealing with a covered entity under HIPAA," Dr. Mazer said.

Individual people and most employers aren't considered covered entities under HIPAA. Schools, and most state and law enforcement agencies are also not covered under HIPAA. Groups not covered include:

  • Life insurers
  • Employers
  • Workers compensation carriers
  • Most schools and school districts
  • Many state agencies like child protective service agencies
  • Most law enforcement agencies
  • Many municipal offices

Vaccination information is classified as protected health information and is covered by HIPAA's rules as it pertains to the above three groups. For instance, a health care provider generally cannot share health information with an employer, sell that information, or use it for marketing purposes without a patient's written permission.

"If your employer says, 'are you vaccinated?' That is not a HIPAA violation. Your employer is not one of the covered entities under HIPAA," said Mazer.

More information is available about HIPAA on the HHS website.