You may not have a close, personal relationship with a federal law but for me, HIPAA holds a special place in my life. With two parents in the healthcare tech field, a quick stint in the world of electronic medical record implementation, and a few years focused on privacy in my early days here at ACT | The App Association, HIPAA is something I talked about A LOT, thought about A LOT, and had to clarify A LOT. So, you know I paid special attention to all the HIPAA talk surrounding the COVID-19 vaccine rollout. Now that HIPAA is the punchline to many jokes on Twitter, a listicle on Buzzfeed, and a facet of daily discourse, it is time to take to the internet and dispel a few rumors. Without further ado, the App Association presents: Two Truths and a Lie – the HIPAA Edition.

Here is how it works: throughout this blog, we have a series of three statements related to HIPAA – two are truths and one is a lie. Ready to test your HIPAA knowledge below and see if you can spot the lie in each round? Don’t worry – we’re here to help you through it.

Round One

  • HIPAA is a law that governs the treatment of personally identifiable health information.
  • The P in HIPAA stands for privacy.
  • The I in HIPAA stands for insurance.

The lie? Number two.

That’s right folks, HIPAA is the acronym for the Health Insurance Portability and Accountability Act. Originally enacted in 1996, HIPAA has two parts, the Privacy Rule and the Security Rule. In the late ‘90s, insurance claims started transitioning from primarily paper-based communications to electronic, and medical records became digitized rather than just paper copies. With this new digital age approaching, Congress wanted to ensure that sensitive health information would remain private while moving from care provider to insurance company and then between electronic health records, known as “EHRs.” That is why both “insurance” and “portability” are key facets to the law (and in the name) rather than “privacy.”

Round Two

  • Asking someone about their vaccination status is a HIPAA violation.
  • Only “covered entities” are responsible for meeting HIPAA compliance standards.
  • My doctor can’t share my health information with anyone unless I give them permission.

The lie? Number one.

First things first: someone asking you about your vaccination status, an employer mandating a vaccine, or a bar/restaurant/business asking for proof of vaccination is NOT a violation of HIPAA. In fact, you can share whatever you want about your health beyond vaccination records, and you can also choose not to share information about your health. What IS a HIPAA violation? If I called your doctor and asked them about your vaccination status, and they told me without your express permission – that would be a MAJOR HIPAA violation. The thing about HIPAA that you have to remember is that only covered entities, their business associates, or healthcare clearinghouses are actually responsible for meeting the compliance standards of HIPAA.

Your next question is probably, “huh?” so here is the breakdown:

  • Covered entities are folks like your doctor, hospital, or insurance company. The kicker here is that HIPAA only applies if your doctor electronically files insurance claims. That isn’t to say that a doctor who doesn’t accept insurance isn’t treating your data responsibly, but it does mean that they do not have obligations to meet the HIPAA standards for privacy and security. That is pretty rare though, so it is safe to assume your doctor abides by the HIPAA rules.
  • Business associates are essentially companies under contract with a covered entity who are collecting, processing, storing, or using your data on behalf of the covered entity. A good example would be a medical device, like a continuous glucose monitor, that measures your glucose periodically and then sends that information directly to your doctor. The company that makes the device would be a busines associate of your doctor and therefore responsible for treating your data as outlined in the HIPAA rules. Another good example? Your EHR. EHRs are businesses associates of covered entities and have to treat your data only within the parameters set by your doctor and within the scope of HIPAA.
  • A healthcare clearinghouse is essentially the middleman between your doctor and your insurance company. They make sure that the claims submitted are correct so that there will be less friction when it comes time for the insurance company to pay out the claim. Healthcare clearinghouses aren’t always used, but when they are, they are responsible for managing your data in accordance with HIPAA.

The key takeaway here is simple: only covered entities, business associates, and healthcare clearinghouses can violate HIPAA. Whether or not you want to share your vaccination status, or any other health information, is entirely up to you, but HIPAA doesn’t prevent you from sharing, nor does it prevent someone from asking, about your health.

Round Three

  • My doctor prescribed me an app that helps me monitor my diabetes. All of the info I upload to the app is then sent directly into my medical record so my doctor and their staff can review the info and give me a call if they see something concerning. That data is all covered by HIPAA.
  • I use a symptom tracking app to help manage chronic pain. Any information I enter in that app is covered by HIPAA.
  • Sharing my vaccination status in order to enter a music venue, restaurant, or bar is not a violation of HIPAA.

The lie? Number two.

This is where HIPAA can sometimes get tricky. Since only certain entities are responsible for HIPAA compliance, not every situation where you might be sharing or tracking health data is covered by the law. In the case of a pain management app that you are using to track pain day-to-day, or even medication you are taking to manage the pain, that data isn’t covered by HIPAA until you have shared it with your doctor. That is one of the reasons that the App Association advocates for a single federal privacy standard that would provide a clear framework for companies to use to provide the highest protection for our most personal information. Again, the pain tracking app you are using has probably spent a lot of time making sure they have high privacy and security standards in place around how they treat data, but the point to remember is that they are not covered by HIPAA, and so it never hurts to take a look at their privacy policy and make sure you are comfortable with how they treat your health information.

Final Thoughts

HIPAA certainly isn’t a perfect privacy law, and a lot of people have been able to use HIPAA as a way to say no and, in this author’s opinion, slow the pace of innovation. That said, when it comes to current affairs, the reality is that unless someone’s doctor is sharing their vaccination or health status without their express permission, there is no violation of HIPAA. Further, HIPAA really isn’t and shouldn’t be an element of our current national conversation unless the conversation is about the lack of consistent privacy protection in the United States. Choosing to share your vaccination status is a personal decision—you can choose not to—but your HIPAA rights are not in violation if Madison Square Garden requires proof of vaccination for you to see Bruce Springsteen.