·  Legal News, Analysis, & Commentary

Health & Medicine

Understanding How HIPAA Law Protects Your Health Records Just Like It Did Trump’s Covid Result

— December 3, 2020

Since the law is all about protecting an American citizen’s healthcare privacy, it is within President Trump’s right to make information public or keep it protected.

Your urge to know about President Trump’s fight with the deadly coronavirus was understandable, but unfortunately, any health-related information cannot be disclosed without the consent of the person, as per HIPAA rules. Whether you are a President or a common man, your medical privacy rights are absolute, and no one is allowed to make your health information public without your consent or knowledge (at least in the USA). The White House physician, Dr. Sean Conley, invoked HIPAA law to restrict the disclosure of any of the president’s health-related information. Thanks to the media frenzy, now people are more aware of the protections available to patients under HIPAA law.

In response to Dr. Conley’s “not at liberty to discuss” response, an ABC News reporter asked him, “So, you are actively not telling us what those lung scans showed?”

In response, Dr. Conley rightly said, “There are HIPAA rules and regulations that restrict me in sharing certain things.”

Here’s everything you need to know about the medical privacy protection law: 

What is HIPAA, and why did Congress pass it?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed by Congress in 1996 to ensure the protection of an individual’s healthcare information. The need for stringent nondisclosure requirements arose after the HIV status of tennis star Arthur Ashe was made public and the health records of country music star Tammy Wynette were sold to a tabloid for commercial gain. It triggered a debate around health care data protection, and Congress rightfully passed HIPAA laws to make non-compliance to the rules a punishable offense.

Under the law, all entities covered under the Act are prohibited from disclosing your Protected Health Information (PHI), willingly or unwillingly, without your consent. Those who break the rules are liable to hefty fines and, in extreme cases, a prison term as well.

Florida Democrat Donna Shalala, who as secretary of the Department of Health and Human Services under President Bill Clinton helped write the law, told CBS News that the goal was to protect people’s medical information, called PHI, and make it easier for patients to access such information. In fact, according to a survey commissioned by Invisalign in association with The Pew Charitable Trusts shows that 61 per cent of U.S adults are interested in managing their own health and want to download their health records to their smartphone.

Scope of Data Protection Under HIPAA

In light of the recent debate surrounding President Trump’s health information disclosure, it is pertinent to know what kind of information is protected under the Act. The applicability of HIPAA compliance is restricted to only those entities covered under the act. Applicability is very broad in terms of which types of healthcare providers and associated businesses and people are covered. It includes administrative staff, pharmacies, laboratories, health insurers, and others. So, everyone in possession of patient information or who has access to such information must protect PHI without fail. It doesn’t mean that health data saved in digital devices or genetic data shared on websites is covered under the Act. Digital data protection is covered under other relevant acts. 

If you are an employer, you are not bound to HIPAA compliance, as the responsibility for PHI data protection is with health insurers. However, you have to follow relevant other laws like the Americans with Disabilities Act and follow all such data protection rules.

Who does HIPAA Apply to?

All health care service providers and business associates, like health insurers, must be HIPAA-compliant to ensure the protection of patient data. If you are confused about the applicability of HIPAA on White House physicians, then yes, the person in charge is responsible under HIPAA to ensure total privacy protection. Organizational coverage doesn’t exclude the White House from HIPAA compliance. Above all, the core idea of the law is to ensure the enforceability of data protection, not where the data is protected.

Of course, there is no such thing as a universal application of HIPAA law, as schools and school districts, employers, and state law enforcement agencies are not covered under the provisions of HIPAA. It applies to health care service providers and business associates and not your friend who could share your information on any social media platform.

What Health Information is Protected Under HIPAA?

Anyone in possession of or in contact with PHI, be it doctor, nurses, lab technicians, administrative staff, or health insurers, is not allowed to disclose any of your information without your consent or knowledge. Health care information, as defined under the Act, could be:

  • Identifiable health information
  • Personal information
  • Test results
  • Findings of diagnosis
  • Medications and treatment plans
  • Billing and other relevant information
  • Insurance-related information

Who Can Disclose What Under HIPAA?

HIPAA is all about giving individuals safety and control over their healthcare data. So, it is you who will permit the organization or individual to use and share relevant information for a defined purpose.

Medical Records; Image Courtesy of Pixabay,

Suppose you want your family members to know some of your health information, but not all of it. In such a scenario, you will tell your healthcare provider to share only specific information or withhold certain information about your treatment or procedures. In some cases, you have to give written authorization to allow information to be shared with a third party.

Disclosure of Information Without Permission

Disclosure of healthcare information, willingly or unwillingly, is prohibited under HIPAA. However, there are some exceptions regarding the use of information. Health insurance companies are allowed to use patient information to protect public health and law enforcement purposes.

In a situation like a pandemic, the health department is allowed to share broader data related to the number of cases and recoveries and other relevant data required for public awareness and policymaking. But the department is not allowed to share personal information like names, addresses, and other personal details. If necessary, the health department can disclose contact tracing information in the larger public interest.

Just like anyone else, HIPAA is for President Trump as well. So, he has every right to protect his health-related information. The President himself can make it public or allow for the disclosure of certain information.

What if Someone Violates HIPAA?

On receiving a complaint, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services investigates the entity alleged to have disclosed the information. If non-compliance is found, the OCR could initiate a violation proceeding, which could result in the imposition of a fine commensurate to the level of breach. In normal circumstances, the OCR asks for compliance within a defined period. If the entity fails to comply, then the authority could impose a fine and initiate civil or criminal proceedings depending on the nature of the violation. 

Is Consent Mandatory for Information Disclosure?

A doctor can disclose healthcare-related information only when s/he has the consent of the patient. Your healthcare information can be shared with other healthcare service providers and health insurance companies with authorization only. In some cases, the information can be used in the larger public interest. In simple words, your privacy right is absolute, and it is your right to make it available for any purpose.

Under the HIPAA law, it is within your rights to allow selective disclosure or sharing of information in part or full with family, friends, or the American public. So, you have the right to permit selective disclosure for the desired purpose and to withhold disclosure of some information to protect privacy. It is within your right to waive the privacy protection available under the HIPAA law. However, the waiver would not be a blanket disclosure. You can ask your healthcare provider not to share information with certain people or organizations. 

Applicability of HIPAA to the President and the White House Physician

Technically, the White House is not a healthcare service provider or any other covered entity, so the HIPAA rules don’t apply to the White House. So, the White House press secretary cannot say that HIPAA prevents him from disclosing President Trump’s COVID-19 reports. However, the doctor of the President can say that the HIPAA rules prevent him from disclosing the information. Since the law is all about protecting an American citizen’s healthcare privacy, it is within President Trump’s right to make information public or keep it protected.

Join the conversation!