You’ve likely heard of HIPAA. Anytime you begin care with a new medical provider, you sign their notice of privacy practices, which share how they may use and share your health information and your rights surrounding that information. This is a direct result of The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Public Law, which was enacted on August 1996. HIPAA was created to protect medical records and heath information, setting a standard for privacy and security, and also implemented patient rights. It is an important protection for patients, especially in a world where information can be transmitted with the click of a button, housed in online records, uploaded, downloaded, and accessible to medical providers with ease. So, how does it apply to patients? Is there protection for patients outside of the medical setting? We’ll answer those questions in today’s post.
Privacy in medical settings
HIPAA does not protect all health information. It also does not apply to every person who may see or use health information. HIPAA only applies to covered entities and their business associates, as outlined by Health and Human Services (HHS). There are three types of covered entities: health plans, healthcare providers, and healthcare clearing houses.
Healthcare provider: Every health care provider- doctors, dentists, hospitals, nursing homes, pharmacies, urgent care clinics, and other entities that provide health care in exchange for payment are examples of providers. All providers, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include:
- benefit eligibility inquiries
- referral authorization requests
- other transactions for which HHS has established standards under the HIPAA Transactions Rule
Health plans: This covered HIPAA class pays the cost of medical care. Examples include:
- health insurance companies
- health maintenance organizations (HMOs)
- group health plans sponsored by an employer
- government-funded health plans such as Medicare and Medicaid
- most other companies or arrangements that pay for health care
Healthcare clearing houses: One source explains that a healthcare clearing house processes information so that it can be transmitted in a standard format between covered entities. For example, a clearinghouse may take information from a doctor and put it into a standard coded format that can be used for insurance purposes.
The three covered entities are just a part of what is covered under HIPAA. Business associates, people who are hired by covered entities, must also comply with the guidelines. Business associates provide services such as:
- data aggregation
- administrative accreditation
- processing or administering claims
- data analysis
- data transmission
- utilization review
- quality assurance
- certain patient safety activities
- benefit management
- practice management
When at a provider’s office or medical facility, you can expect that anybody that works directly with you (providers such as doctors, nurses, etc), and all supporting staff (office managers, billing, etc.), operate under HIPAA guidelines. To be in compliance, all staff should only have access to the limited amount of information necessary for their job performance.
Apart from the three covered entities, there are other organizations that may also have access to your healthcare information and must also adhere to HIPAA guidelines- these include:
Subcontractors: Business entities may contract out certain work- maintaining, transmitting, or creating protected health information (PHI) and have the same legal responsibilities as a business associate under HIPAA.
Hybrid entities: A hybrid entity performs both HIPAA-covered and non-covered functions as part of its business. A large corporation that has a self-insured health plan for its employees may elect to be treated as a hybrid entity. Other examples are a university with a medical center or a grocery store that has a pharmacy.
What are some examples of non-covered entities?
There are businesses that may have access to healthcare information that do not have to abide by HIPAA some examples include:
- life and long-term insurance companies
- workers’ compensation insurers, administrative agencies, or employers (unless they are otherwise considered covered entities)
- agencies that deliver Social Security and welfare benefits
- automobile insurance plans that include health benefits
- search engines and websites that provide health or medical information and are not operated by a covered entity
- gyms and fitness clubs
- direct to consumer (DTC) genetic testing companies (read more about why privacy with DTC testing is a concern, here)
- many mobile applications (apps) used for health and fitness purposes
- those who conduct screenings at pharmacies, shopping centers, health fairs, or other public places for blood pressure, cholesterol, spinal alignment, and other conditions
- certain alternative medicine practitioners
- most schools and school districts- these are covered under Family Educational Rights and Privacy Act (FERPA).
- researchers who obtain health data directly from health care providers
- most law enforcement agencies
- many state agencies, like child protective services
- courts, where health information is material to a case
- interactions between individuals that are not a part of a covered entity or another sub class that falls under HIPAA
That is not to say that these organizations and groups do not adhere to privacy guidelines. Due to the sensitive nature of health information, many businesses, organizations, and groups that have access to health information create and abide by their own privacy rules to protect data. If you’re ever curious about how your information is stored, transmitted, and protected, ask for a copy of privacy guidelines to best understand how they operate.
Covid and HIPAA
The pandemic has made health information a hot topic- celebrities, politicians, and other public figures have found themselves in a position of their health information being made public by the media. Are those situations a violation of HIPAA? If medical staff disclosed health information to a reporter, and the medical staff did not have permission from the patient, the medical staff may have violated HIPAA, but the reporter has not. Regardless, it likely feels like a violation of privacy to have personal health information shared without consent.
Without a doubt, many people not in the spotlight have also found themselves in a similar situation when interacting with others. Have you ever been asked if you’ve received the COVID vaccination? Or if your most recent illness was COVID? It can be a difficult conversation to traverse if you do not feel comfortable sharing details. Some people have limited contact with others that do not share their vaccination status, opting to err on the safe side and avoid any potential exposure to COVID. Is this the only answer? “Ask Amy,” is an advice column that responded to one reader asking about how to manage the difficult situation. The reader’s logic followed that they wouldn’t share if they had just undergone a colonoscopy, mammogram, or other health procedure, so how do they respond when asked about their vaccination status? This was the answer Amy provided which may be helpful to others:
I share your aversion to discussing medical issues. However, your colonoscopy or mammogram status has absolutely no bearing or impact on anyone else’s health. Your vaccination status might.
Mainly, the vaccination protects you from the more serious illness caused by COVID. But the vaccination also helps to protect others, because if you don’t contract COVID, you won’t be spreading it.
I can imagine how annoying it would be to face aggressive questioning and implied harsh judgment about your vaccination status, but other people do have the right to make their own choice regarding how much close contact they want to have with you.
Yes, without a doubt, nosy people will use the vaccination as an excuse to pry, but if you don’t want to have an extended medical conversation, then don’t.
They ask, “When are you getting vaccinated?”
You say, “I’m not sure.”
They ask, “Are you planning to be vaccinated?”
You say, “I haven’t decided.”
They say, “Well, if you haven’t been vaccinated or won’t reassure me about your plan, I won’t want to spend time with you.”
You respond: “Yes, I completely understand.”
Depending on the relationship, suggestions for how to safely spend time together can be considered. Respiratory droplets that spread the virus are released into the air when talking, coughing, speaking, breathing or sneezing. Those small droplets or aerosols can stay in the air for minutes to hours, making inside spaces a more likely space where you’d come in contact with the virus, if it is present. The Mayo Clinic suggests outdoor activities- the open air provides a layer of protection as virus particles are not stagnate in the air. Outside, you’re also less likely to breathe in enough of the droplets containing virus, because the air is dispersing them. A few ideas for safer interactions include:
- playing lawn games- ring toss, bean bag toss, bocce ball, etc.
- sitting, enjoying a chat in the backyard
- outdoor painting
- outdoor movie screening
- going for a jog
Privacy in this age of technology can seem difficult to attain. But, protections like HIPAA are one way that health information can be guarded and help secure your privacy. In settings that aren’t covered entities, do not hesitate to ask for information about what is done with your data- how it is protected, transmitted, and shared.