HIPAA: Common Misconceptions

Misconceptions abound when it comes to HIPAA. First, it’s HIPAA, not HIPPA. And the “P” doesn’t stand for privacy; it stands for portability. HIPAA is the acronym for the Health Insurance Portability and Accountability Act.

Congress passed HIPAA in 1996 to create federal standards for digitizing medical claims data and records (accountability) and to prevent employees from losing their health insurance coverage based on preexisting conditions or otherwise when they changed employers (portability). A Privacy Rule was added in 2003 to give individuals rights with respect to Protected Health Information (PHI) and to regulate how Covered Entities can use and disclose PHI.

Which brings us to another misconception – who is legally required to comply with HIPAA?   The “Covered Entities” that must comply with HIPAA regulations are health plans, most health care providers, and health care clearinghouses, as well as the business associates of Covered Entities like third-party administrators that help administer health plans and companies that store or destroy medical records.

However, many businesses that obtain health information are not required to comply with HIPAA. These include, among others, most employers. Only employers that operate and administer their own health plans must comply with HIPAA. Employers, however, must comply with other medical privacy laws like the Americans with Disabilities Act (ADA) and the Genetic Information and Nondiscrimination Act (GINA), which require that employers keep disability and genetic information about their employees confidential.

Today, in the age of COVID, many people seem to think that HIPAA prohibits an employer from asking employees about their vaccination status. That is not the case. While the ADA regulates when an employer can make health-related inquiries of applicants and prospective hires and prohibits making medical inquiries of employees unless job-related and consistent with business necessity, HIPAA does not prevent an employer from asking if employees have been vaccinated or requiring proof of vaccination. Indeed, the EEOC’s position is that inquiring whether an employee has been vaccinated is not a disability-related question restricted by the ADA.

The pandemic has certainly put health care privacy in the spotlight. But when you see headlines claiming that asking about a person’s vaccination status is a violation of the person’s HIPAA rights or that vaccine mandates or passports are illegal, that is simply the latest iteration in the numerous misconceptions that have surrounded HIPAA from its inception.