# ‘HIPAA does not give you a get-out-of-jail-free card’: What the health-privacy law does (and doesn’t) protect

HIPAA, an acronym for the Health Insurance Portability and Accountability Act, was enacted in 1996 and went into effect in 2003. Broadly speaking, it is a federal health-care privacy law that shields individuals’ protected health information from release by health-care providers without the individual’s permission, Margaret Foster Riley, a professor of law at the University of Virginia School of Law, told MarketWatch.

Its rules “essentially provide for the privacy and security of personal health information held by traditional health-care providers — so doctors, hospitals, pharmacies,” said Nicolas Terry, the executive director of the Hall Center for Law and Health at Indiana University. “It restricts the sharing of personal health information that’s identifiable to persons involved in the care of the patient, and in some cases some sort of billing and quality-control issues.”

HIPAA has exceptions, Terry added. The subject of the medical record, for example, can authorize a health-care provider to share the information more broadly if they choose. And the law has provisions by which information can be shared with public-health authorities, the legal system and some other entities, he said. 

For HIPAA to apply to a person’s information, the information must be held by a “covered entity,” meaning anyone involved in the provision and payment of health care, as well as health-care clearinghouses and insurers, Riley said. But the rule does not extend to your employer, she added.

Yes, HIPAA protects President Trump’s medical information 

White House physician Sean Conley on Monday shared certain details about Trump’s condition, including his blood pressure and heart rate. But in response to questions about the president’s lung scans and the date of his last negative coronavirus test, the doctor cited “HIPAA rules and regulations that restrict me in sharing certain things for his safety and his own health.”

White House spokesman Brian Morgenstern on Friday also repeatedly declined to answer questions about when the president last tested negative for COVID-19, telling MSNBC host Hallie Jackson that “the president doesn’t check all of his HIPAA rights at the door just when he becomes president.”

The date of Trump’s last negative test is key to understanding his illness timeline and which contacts he could potentially have exposed to the virus.

“The president shares a great deal of information with the American public: We have gone through numerous briefings with the doctors, half a dozen memos from the doctors, his daily vitals we put out yesterday,” Morgenstern said. “Just because he’s president doesn’t mean he shares every single detail of his entire life, but we do share enough information certainly for public-health purposes.”

Because Trump is receiving health care from a covered entity, his information would be protected under the law, Riley and Terry said.

“There is no doubt that the Walter Reed hospital and the physicians working out of Walter Reed would be covered by HIPAA, and that therefore information that they have about the president would be protected by HIPAA,” Terry said. “HIPAA would probably also apply to the relationship between the White House doctor and the president — so generally, this is HIPAA-protected information.”

Since Conley provided some details about Trump’s condition but cited privacy concerns about others, it appears that the president only waived his HIPAA rights up to a certain extent, Riley said.

“You control your HIPAA rights, so you have the right to say to your health-care provider, ‘You may release this much information, but not this other information,’” Riley said. “That’s likely what’s going on there.”

There’s little doubt that the public has a justifiable interest in knowing about the president’s health, Terry said, assuming the information is responsibly provided and doesn’t include “scandalous or embarrassing details.”

“An honest assessment reported to the American public is something that we would expect in a democracy, and it would be extremely easy for the president to make that information available,” Terry said. “All he would have to do is tell his personal doctor or tell the Walter Reed doctors that they have his consent to provide information.”

The White House seemed to use a ‘pretextual excuse,’ says one expert

White House press secretary Kayleigh McEnany, who would later test positive for the virus herself, declined last Sunday to provide the number of White House staffers who had tested positive for COVID-19. “There are privacy concerns — we take very seriously safeguarding the information of the personnel here in the White House,” she told reporters.

But the White House is not a covered entity under HIPAA, Riley said. Terry, for his part, called McEnany’s response “a pretextual excuse” and noted that “HIPAA and privacy laws, almost routinely, are used as excuses not to communicate.”

“I see absolutely nothing in HIPAA or any other federal privacy laws that would stop the White House giving broad information about the level of transmission within the White House and the number of persons infected, or even when persons were infected — because I think you can provide that information without specifically identifying the person,” he said.

Identifying the person by name might mean the White House is breaching the confidentiality of its employee, he added, “but it’s arguably not HIPAA that’s in play there, because the White House is not a health-care provider, without knowing more about how internal affairs at the White House work.”

HIPAA isn’t a ‘get-out-of-jail-free card’

Earlier in the pandemic, misinformation about mask-wearing exemptions proliferated online. This included posts falsely informing people that their medical conditions exempted them from mask mandates and claiming that HIPAA barred others from asking about their medical condition.

This example, Riley said, is “ridiculous.” Businesses open to the public are not covered entities under HIPAA, she said, and “they can impose any reasonable requirements to protect the health and welfare of their employees and other customers under the [Americans with Disabilities Act] and related and similar laws.”

“The onus would be on the individual to provide credible information about a disability, and even then, that credible information doesn’t necessarily trump the obligation of the employer to protect its employees and other customers,” she said. “They could refuse the individual entry if the individual doesn’t want to wear a mask, even if that individual had a health condition that might preclude a mask. … But none of this has anything to do with HIPAA.”

Terry agreed that the example was “nonsense.” “HIPAA does not give you a get-out-of-jail-free card,” he said. “If someone says that ‘We need you to do something for public health reasons,’ you can’t just say, ‘I don’t have to do that because of HIPAA.’ It just doesn’t work that way.” 

“People have a tendency to think that because they interact with their health-care providers and often sign HIPAA disclosure forms … that HIPAA covers all health-care privacy,” Riley said. But HIPAA “has relatively confined rules,” she said.

It’s not just people outside the health-care system who exaggerate HIPAA’s role, Terry added — sometimes, it’s people within the system. While “we all recognize that the free flow of health-care information amongst our care team” is a good thing, he said, health-care providers will sometimes use HIPAA as an excuse not to share health information.

Sometimes, though not always, “one gets the impression that maybe some health-care providers don’t want to share personal health information because they want to keep that patient within their own network, rather than letting them escape to somebody else’s network,” he said. 

HIPAA covers a ‘shriveling’ share of traditional health-care data

There’s plenty of information HIPAA doesn’t protect, given that so much health and health-adjacent data now lives outside of the traditional health-care ecosystem, Riley and Terry said. Data generated by your Fitbit
FIT,
-0.14%
or Apple
AAPL,
+1.74%
Watch or stored in your phone’s software won’t be covered under HIPAA in most cases, Terry said, “because the persons supplying the software or the hardware or doing the collection are not traditional health-care providers.”

While most health information was indeed stored by traditional health-care providers at the time of HIPAA’s inception, Terry said, that’s no longer the case. 

“As health has become much more electronic, as health and wellness have become industries, and as large entities, particularly big tech, have entered this space, so the idea that health information is only stored by health providers has been proved to be false,” Terry said. “Yet we have failed as a country to pass strong privacy protections to deal with information, be it health or financial or anything else, that is held by data brokers.”

That leaves a “shriveling” share of traditional health-care data as a slice of the pie, he said.

“The amount that’s being held by traditional health-care providers is as a percentage reducing, and more and more health information is being held by non-HIPAA entities,” he said. “And that information is, to a large extent, unprotected by federal law.”