HIPAA is not a difficult law to understand but it is one of the most misunderstood laws, often resulting in unfortunate consequences. Most recently, it’s been incorrectly cited as prohibiting employers from inquiring about their employees’ COVID-19 vaccination status. In fact, employers are entitled to ask about their employees’ vaccination status.

If you’ve ever wondered whether someone is misusing HIPAA and incorrectly preventing the disclosure of health information, you may be correct. 

1. What the Law DOES do

The Health Insurance Portability and Accountability Act, known as HIPAA, has been in existence for almost 30 years. The part of HIPAA that regulates the privacy of health care information is referred to as the “HIPAA Privacy Rule,” and it is intended to prevent health care providers and health care related entities like insurers from sharing protected health information without a patient’s permission, while also recognizing that in a number of cases there should be a free flow of health information.  Thus, it imposes limited confidentiality obligations only on “covered entities” meaning health plans, health care providers who transmit information in electronic form, health care clearinghouses that provide services like billing and health data management, and business associates of covered entities that provide services like claims processing and billing.

While it is well understood that HIPAA requires the disclosure of an individual’s protected health information when requested by that individual, it also permits disclosure in 12 different situations, including for payment activities, health care operations like case management and care coordination, in emergency situations, to an individual’s family members when informal permission has been granted, and for the general public interest or for the performance of essential government functions (two large catch-all categories).   

If you are injured but unconscious, your doctor is authorized by HIPAA to release pertinent information to your family or friends if it would be in your best interest. In the case of a contagious disease, HIPAA does not prevent health care providers from releasing information to determine if there is a public safety risk. Restrictions can also be bypassed if doing so would help disaster relief.

Regarding COVID-19, it is not a HIPAA violation for someone to ask you for proof of vaccination as a condition of employment, or before attending a concert or taking a flight, because you are free to choose to seek other employment or not to attend the concert or take the flight (see our blog post about employer-mandated vaccination here). Since these situations do not involve the release of information about your vaccine status without your consent, HIPAA is not at issue.

HIPAA is often misinterpreted as a general restriction on anyone asking for someone else’s medical information, or disclosing an individual’s medical information to a third party. But the law does not apply to employers, neighbors, the media, or any other individual outside of the health care industry. It can, however, be used as a crutch when individuals would rather not provide information. Rather than simply declining to answer, it’s easy (but incorrect) to say, “I can’t because of HIPAA.”

2. Instances where people have misused HIPAA

There have been plenty of cases of HIPAA being used incorrectly in matters involving COVID-19. Just last month, Representative Marjorie Taylor Greene (R-GA) was asked by a reporter if she had been vaccinated. Citing HIPAA, she wrongly claimed that she did not have to reveal that information. Yet HIPAA didn’t prevent her from responding. Again, HIPAA does not prevent an individual outside of the health care industry from asking you about your vaccination status, and it doesn’t prevent you from answering. Whether you answer the question about your own medical information is a personal decision.

Also last month, North Carolina Lt. Governor Mark Robinson criticized a Biden Administration plan to have volunteers canvas door-to-door to encourage COVID-19 vaccinations. He claimed that this would be illegal under HIPAA because canvassers would be requesting private medical information. Again, this is an incorrect interpretation of HIPAA. Canvassers are not a “covered entity” under HIPAA, and they can ask any information they want, including about vaccine status. If people are uncomfortable with being asked, they can simply not respond to the question. These statements about HIPAA misled Robinson’s constituents and may have prevented people from participating in beneficial conversations about the vaccine.

It's even to the point where misstatements about HIPAA are inviting ridicule. In a July press conference, NFL quarterback Dak Prescott told reporters he thought HIPAA prevented him from speaking about his vaccination status. A twitter-storm quickly erupted with comments like the following: “My wife just asked me if I played well on the golf course today. Told her that question violates my HIPAA rights."

Unfortunately, such misstatements are not unusual, and they have occurred in a variety of other contexts.  Several years ago, Orlando Mayor Buddy Dyer contacted the White House to ask for a waiver of HIPAA, believing that the law prevented hospitals from answering family members’ questions about the medical status of their loved ones who were injured in the Pulse Nightclub shooting. The White House responded that a waiver was unnecessary. After all, HIPAA allows physicians flexibility to disclose limited health information to the public or media when appropriate, such as when a person may be in serious or critical condition. Fear of violating HIPAA caused unnecessary delays in the release of medical information and increased worry and uncertainty for family members.

3. How to Navigate the Care of Loved Ones Under HIPAA

Unfortunately, our experience is that many health care providers misinterpret HIPAA, resulting in delayed releases of records and family members having difficulty in getting the information they need to care for their relatives.  It’s not a surprise that a 2019 study found that 51% of health care providers failed to follow HIPAA guidance when responding to patients’ request for the release of their own medical records. Caution by health care providers in applying HIPAA is understandable, since violating the law can result in criminal penalties, but this should result in health care providers taking care to understand their obligations, rather than misapplying the law.

If you are involved in a relative’s care, it’s a good idea to have them execute a HIPAA authorization form that you can provide to doctors to facilitate their communication with you about your loved one. This authorization is an essential part of an estate plan in addition to the appointment of a health care “proxy” -- an agent who can make decisions for you if you become incapacitated.  Since state law differs on the requirements for HIPAA authorizations and appointments of health care proxies, attention must be paid to make sure that documents comply with your state’s requirements. Having these documents will help you to have all the information you need in caring for aging relatives, and in turn, if you ever need assistance from family members, you will know they can freely speak with your doctors.

This blog was written by Jamie Hamelburg, a Member of Press, Dozier & Hamelburg, and Julia Cronin, an intern with Press, Dozier & Hamelburg. Press, Dozier & Hamelburg partners with businesses to achieve their goals, and represents families and individuals, often when they are most vulnerable. Our attorneys deliver valuable insight and counsel in the areas of business, employment law, litigation, commercial real estate, estate planning and administration, and business succession planning. We provide all of our clients with personal service, emphasizing responsiveness, sensitivity, and respect. We are located in Bethesda and serve Maryland, Virginia, and Washington, D.C.

Note: The content in this Blog is for informational purposes only and should not be acted upon without first consulting legal counsel. It is not intended to constitute legal advice.