HIPAA privacy protection: What you need to know
MILWAUKEE - Having an opinion about privacy is easy; understanding what the law protects is a lot more difficult.
"People believe it actually applies to them and protects them when, in many cases, it doesn’t," Health Sciences Law Group Attorney Jeremy Shapiro-Barr said.
Shapiro-Barr focuses on data privacy and security law. He says he's been getting more questions about HIPAA and how it applies to health information related to COVID-19. He says while he loves the nuances of the law, there are a lot of misconceptions floating around about its scope.
Health Sciences Law Group attorney Jeremy Shapiro-Barr
"I try not to be obnoxious about it," Shapiro-Barr said with a smile. "But sometimes, I feel the need to speak up."
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It was designed to allow people to take their health insurance from job to job.
At that point, there was a patchwork of state laws protecting privacy to varying degrees. It wasn't until HIPAA's Privacy Rule went into effect in 2003 that there was a baseline of federal protection for health information.
HIPAA allows you to see your own medical information; the Privacy Rule also largely prevents your doctor, health insurance and certain health vendors from releasing your health information without your permission.
Sorting fact from fiction
"People tend to claim that something is a HIPAA violation when it really isn’t," Shapiro-Barr said. "They think it applies in a broader sense of circumstances than it really does."
When a reporter asked NFL quarterback Dak Prescott whether he was vaccinated, he replied, "I think that's HIPAA." Georgia Representative Marjorie Taylor Greene responded to a similar question with, "Well, your first question is a violation of my HIPAA rights. You see, with HIPAA rights, we don’t have to reveal our medical records, and that also includes our vaccine records."
While HIPAA usually prevents health entities from releasing your medical records without your permission, it does not cover other aspects of your personal information. It also does not prevent your boss, journalists, or really anyone from asking about your vaccination status or prevent businesses or festivals from asking customers for proof of vaccination or negative COVID-19 tests in order to participate.
HIPAA also does not prohibit you from sharing your own health information.
There are other privacy laws that cover areas HIPAA does not. The Family Educational Rights and Privacy Act (FERPA) protects student information; the Americans with Disabilities Act (ADA) can kick in at work if your employer has 15 or more employees. Additionally, there are state laws governing other areas, like consumer privacy.
SIGN UP TODAY: Get daily headlines, breaking news emails from FOX6 News
The nuances
In some cases, Shapiro-Barr says health entities can be legally permitted to release your medical records without your authorization; for example, if one provider refers you to another provider for treatment, or if your doctor needs to disclose treatment information to your health insurer so they can process your claim.
In very limited circumstances, Shapiro-Barr says it may even be permissible for your employer to access your health information.
Health Sciences Law Group attorney Jeremy Shapiro-Barr
"It would have to be in a situation where your employer actually sets up the examination for a health care provider to examine you," he said. "But in most situations, it would not be permissible for the health care provider to disclose your vaccine status to your employer without your consent."
FREE DOWNLOAD: Get breaking news alerts in the FOX6 News app for iOS or Android
"It’s a very challenging area of the law because there are so many nuances and intricacies," Shapiro-Barr added.
HIPAA violations
In cases of a HIPAA breach, health entities are required to notify you and the U.S. Department of Health and Human Services. If you suspect your information has been compromised, you can also file a complaint.
"People want to know that their sensitive health information is protected and secure," Shapiro-Barr said.