Understanding the Parameters of HIPAA

Understanding the Parameters of HIPAA

June 15, 2021

What constitutes a HIPAA violation? You might be surprised to learn how narrow the scope of coverage truly is.

They are violating my HIPAA rights.

It is a sentence that, in one form or another, has been uttered countless times since the pandemic began. The problem is, the vast majority of people claiming HIPAA violations are not correct.

With mounting pressure on Americans to get the COVID-19 vaccine, there has been a steady debate on whether or not employers can mandate vaccination, and even terminate employees who refuse. My colleague Kevin Burke addressed those questions in an earlier blog. You can find that here. That debate has fueled many of the claims of HIPAA rights violations.

As for those misconceptions and confusion when it comes to HIPAA, it felt like a good time to share some clarifying information with our clients, future clients and community at large.

What is HIPAA:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), per the CDC website is:

A federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

The HIPAA Privacy rule is simple, straight forward, and often misconstrued. It reads:

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

The key element of the rule, which I have bolded is, by entities subject to the privacy rule. HIPAA rules only apply to covered entities, of which there are only four:

  • Healthcare providers
  • Health plans
  • Healthcare clearinghouses
  • Business associates of one of the above covered entities

 To be clear, that means your boss asking if you are vaccinated is not a HIPAA violation. Your office manager sharing who is or is not vaccinated is not a HIPAA violation. A school pulling your child from class because they may have tested positive for COVID-19 is not a HIPAA violation.

The original intent of HIPAA was to give people an option to continue health insurance coverage when leaving a job. Today, it is thought of primarily as a series of rules to protect a person’s private health information. While that is certainly true, it is also what has led to the confusion of what is and is not a HIPAA violation.

While it may not be a HIPAA violation, there are certainly other times when an employer, for example, can disclose your personal health information in violation of EEOC laws. If you feel your employer has shared your private medical information with coworkers in violation of your rights, you can file a complaint with the EEOC. We regularly work with clients to bring matters before the EEOC. There are certain requirements and time limitations to file, so we always recommend giving our labor and employment team a call as soon as you think there may be an issue.

We also assist clients who truly have been victimized by an unauthorized disclosure of their medical information by a covered entity under HIPAA. If you find yourself in that type of situation, please give our office a call. We are here to answer your questions and determine what options you may have to protect your medical information.

Harry J. Forrest is an attorney with Gross Shuman PC. He practices in the areas of civil litigation, business counseling and long-term disability claims and appeals. He has successfully handled cases in both federal and state courts and has tried cases to verdict involving claims for personal injury, property damage, contract disputes and constitutional civil rights violations. You can contact him at 716-854-4300 ext. 225 or [email protected]