{ "vars" : { "gtag_id": "UA-1995064-10", "config" : { "UA-1995064-10": { "groups": "default" } } } }

What Is the HIPAA Privacy Rule? A Health Law Scholar Explains

Getty A staff member walks past medical records at the Cornerstone Care Community Health Center of Rogersville March 21, 2017 in Rogersville, Pennsylvania.

The Health Insurance Portability and Accountability Act’s Privacy Rule is a federal law prohibiting health care providers, businesses and the people working with them – including administrative staff, laboratories, pharmacies, health insurers and so on – from disclosing your health information without your permission.

When people talk about HIPAA, they typically refer to the Privacy Rule provision established in 2003, which is just one part of a broader law initially passed by Congress in 1996. The Privacy Rule came into force after tennis star Arthur Ashe’s HIV status was publicly revealed and country music star Tammy Wynette’s health records were sold to tabloids. People were starting to worry about genetic privacy. And Congress recognized that the internet would make it easier for health care privacy breaches to occur.


Why the HIPAA Privacy Rule Matters

The HIPAA Privacy Rule gives you the right to control your health information disclosures so you can tell your health care provider what to share. If you don’t want to share some of your health information with your family members, you can tell your health care provider to withhold that information from them.

However, HIPAA only protects health care information held by specific kinds of health care providers. For example, health care data on your Apple Watch or Fitbit is not usually covered by HIPAA. Genetic data you enter on websites like Ancestry.com is also not covered by HIPAA. Other laws or agreements like the privacy disclosures required on many apps may protect that information, but HIPAA does not.

Sometimes people try to use HIPAA as an excuse for actions it doesn’t actually cover. For instance, some people who refused to comply with coronavirus-related mask rules in stores asserted that they couldn’t be asked to explain why because of HIPAA protections. But that’s not how this privacy law works: It’s legal for someone to ask you about your vaccination status. And anyone can provide information about their own vaccination status (or any personal health information) without violating HIPAA.


Are There Exceptions to the HIPAA Privacy Rule?

Certain exceptions to HIPAA’s nondisclosure requirements allow covered health care providers to disclose patient information to help treat another person, protect public health and aid in certain law enforcement investigations.

During a pandemic, for instance, public health departments can provide information about how many people have tested positive for a disease, but they cannot mention specific names to the general public unless it’s necessary to alert particular people that they may have been exposed. This is because HIPAA and other privacy laws require them not to release any more information than is needed to keep people safe.

Portions of this article originally appeared in a previous article published on Oct. 15, 2020.

The Conversation U.S. publishes short, accessible explanations of newsworthy subjects by academics in their areas of expertise.

By Margaret Riley, Professor of Law, Public Health Sciences, and Public Policy, University of Virginia

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Now Test Your Knowledge

Read more

More News

While the HIPAA Privacy Rule prevents health care providers from sharing your health information without your permission, it doesn’t prevent other people from asking you about it.