HIPAA (not HIPPA, that’s not a thing) seems to be brought up in public debate quite a bit these days, so I thought I’d write about what it is (and isn’t). I’ve noticed a good bit of confusion, even amongst government officials. This confusion is understandable, since the law itself is not very easy to read.
The Health Insurance Portability and Accountability Act of 1996, otherwise known as the Kennedy-Kassebaum Act is actually part of the tax code. You can find the full text of the law (all 160 some odd pages) by clicking here. Although it is most well known for its privacy provisions, most of the law has little to do with privacy. It has to do with the portability of coverage from one insurance policy to another, with pre-existing conditions, the use of retirement funds for health expenses, and complicated tax consequences.
The privacy portion talks about Protected Health Information (PHI) that is held by “covered entities” and when it can and cannot be disclosed. HIPAA defines what sort of health information is Protected Health Information, and what are covered entities. While I am not an expert in the subtleties of this area of the law, only medical and medical-related entities like doctors, pharmacies, and insurance companies are covered entities. HIPAA doesn’t apply to restaurants, retail establishments, the press, or anything else.
It also doesn’t stop anyone from asking questions. HIPAA is about the disclosure of information, not the request for information. Just like the police can ask a defendant any question, but a defendant doesn’t have to answer (or can simply answer by asserting his or her fifth amendment privilege) anyone can ask anyone a question, and the answer can simply be, “I’m sorry, HIPAA prevents me from disclosing that information.” The question itself is never the violation. Additionally, answering questions about yourself is never a HIPAA violation. HIPAA violations only occur when a third party discloses PHI about you (or someone else) when you haven’t given permission for that third party to do so. You can’t say that giving out your own health information is a HIPAA violation – you can just say that giving out your own health information is none of the asker’s business.
In a nutshell, HIPAA applies to medical personnel who have information about a third party, and says that they can’t disclose that information to a fourth party unless the third party says it’s ok. In other words, neither Dr. Smith nor anyone in Dr. Smith’s office can give out information about your nose job – including that you are Dr Smith’s patient – unless you’ve given Dr. Smith permission. Asking Dr. Smith is not the HIPAA violation, Dr. Smith answering is the violation. Asking you if you got a nose job from Dr. Smith is not a HIPAA violation. Even if you answer the question it’s not a HIPAA violation, since you’re the one who gets to decide if the information gets disclosed.
You are in charge of your own information, so if someone asks you if you want to disclose it, you can simply say no. It’s not a violation of the law for them to ask.
Nothing in this article should be construed as legal advice. It is being offered for informational purposes only.