the Health Insurance Portability and Liability Act Confidentiality Rule is a federal law prohibiting healthcare providers, businesses and the people who work with them – including administrative staff, laboratories, pharmacies, health funds, etc. – disclose your health information without your permission.
When people talk about HIPAA, they are generally referring to the Confidentiality rule provision established in 2003, which is only part of a larger law initially passed by Congress in 1996. The confidentiality rule came into effect after the tennis star Arthur Ashe’s HIV status has been revealed publicly and country music star Tammy Wynette’s health records have been sold to the tabloids. People were starting to worry about genetic confidentiality. And Congress has recognized that the Internet will facilitate breaches of privacy in health care.
Why the HIPAA privacy rule matters
The HIPAA privacy rule gives you the right to control the disclosure of your health information so that you can tell your health care provider what to share. If you do not want to share some of your health information with family members, you can ask your health care provider to keep this information from them.
However, HIPAA only protects health care information held by specific types of health care providers. For example, health data on your Apple Watch or Fitbit is generally not covered by HIPAA. The genetic data you enter on websites like Ancestry.com is also not covered by HIPAA. Other laws or agreements such as privacy disclosures required on many applications may protect this information, but not HIPAA.
Sometimes people try to use HIPAA as an excuse for actions that it doesn’t actually cover. For example, some people who refused to comply with the rules for coronavirus-related masks in stores claimed that they could not be asked to explain why due to HIPAA protections. But that’s not how this privacy law works: It’s legal for someone to ask you about your immunization status. And anyone can provide information about their own immunization status (or any personal health information) without breaking HIPAA law.
Are there any exceptions to the HIPAA privacy rule?
Some exceptions HIPAA nondisclosure requirements allow covered healthcare providers to disclose patient information to help treat another person, protect public health, and assist in certain law enforcement investigations.
During a pandemic, for example, public health departments can provide information on the number of people who test positive for a disease, but they cannot mention specific names to the general public, unless there is a need to. alert specific people that they may have been exposed. This is because HIPAA and other privacy laws require them not to disclose more information than is necessary to keep people safe.
Parts of this article were originally published in a previous article published on October 15, 2020.
The Conversation US publishes short, accessible explanations of hot topics by academics in their fields of expertise.