The Health Insurance Portability and Accountability Act — otherwise known as HIPAA — has become a major topic of discussion amid the rollout of COVID-19 vaccines as some individuals who have been asked about their vaccination status claim that the question is a violation of HIPAA.
For example, when asked about his vaccination status, Dallas Cowboys Quarterback Dak Prescott said: “I don't necessarily think that's exactly important. I think that's HIPAA.” Congresswoman Marjorie Taylor-Greene (R-GA) made similar remarks after a reporter asked if she was vaccinated, stating that “with HIPAA rights, we don't have to reveal our medical records, and that also includes our vaccine records.”
These assertions are incorrect, according to Marc Haskelson, president and CEO of Compliancy Group, a company that assists health care institutions with achieving HIPAA compliance.
“Misunderstanding it is very common,” Haskelson told Yahoo Finance. “It’s really a shame because if people really understood its purpose, I think people would be much happier about its existence.”
Dak Prescott, who claimed that a question about his vaccination status was a HIPAA violation, watches from the sidelines during the first half of the NFL preseason game against the Arizona Cardinals on August 13, 2021 in Glendale, Ariz. (Photo: Christian Petersen/Getty) ·Christian Petersen via Getty Images
Confusion about what HIPAA actually is and how it's implemented is common, which Haskelson attributed to the fact that the law's original definition pertained to the exchange of insurance and billing information between providers and insurance companies.
But in today’s world, he said, “it’s far more revolved around protecting privacy” — albeit with some caveats.
What is HIPAA?
HIPAA was implemented in 1996 by President Clinton as a way to “strike a balance that permits important uses of information, while protecting the privacy of people who seek care and healing.”
In other words, HIPAA is America’s primary health care privacy law.
“What it really is for us is the concept that your health information is yours, and it should be protected by anybody who interacts with [it],” Haskelson said. “The original history of HIPAA was really around abuse of people’s private health care information. It’s everything from your name, your Social Security number, to things like a picture of your eyeball during a surgical procedure.”
That information, he explained, is very valuable.
“What it does is it’s supposed to be a set of standards that says anybody who’s involved with your information — whether it’s a doctor’s office or a billing company — everybody involved is supposed to maintain a minimum standard around privacy and secure the information,” Haskelson said. “That’s the purpose.”
Not all entities are bound by HIPAA. According to HIPAA Journal, the law applies to “the majority of workers, most health insurance providers, and employers who sponsor or co-sponsor employee health insurance plans.” Those who do not have to abide by HIPAA include life insurers, most schools and school districts, many state agencies, most law enforcement agencies, and many municipal offices.
HIPAA also contains an exception for the disclosure of public health activities, which recognizes the need to report vital events like births and deaths as well as information on the spread of infectious diseases.
Employees enter vaccine record information during a COVID mobile vaccine clinic at California State University Long Beach campus on August 11, 2021. (Photo by Patrick T. FALLON / AFP) ·PATRICK T. FALLON via Getty Images
Another key provision of HIPAA is that it ensures that you have access to your personal health information and prohibits doctors from keeping that info from you. This is called “rights of access” and requires HIPAA-covered entities to provide individuals with their medical records, billing records, enrollment, payment, claims adjudication, and other related records upon request.
“It allows you as a consumer to call it that you have every right to see the information that’s contained about you and to modify it if it’s incorrect,” Haskelson said.
This is crucial if your information on file is incorrect since it can affect life insurance applications and other important forms, as was the case for Haskelson.
Haskelson once pulled a muscle in his rib cage and experienced pain while breathing as a result. After visiting his doctor, the physician recorded it as “chest pains” rather than a pulled muscle. When Haskelson went to update his life insurance two years later, he was denied because of that note on his record.
“Under HIPAA, I had the right to call my doctor’s office and say, ‘Could you please correct the record that I didn’t come there for chest pains, that I came there because of the cartilage and I needed a chest wrapper?’” Haskelson said. “It made it look like I had a heart attack, and therefore they wanted to deny me life insurance.”
A Covid-19 vaccine record card is seen at Florida Memorial University Vaccination Site in Miami Gardens, Florida on April 14, 2021. (Photo by CHANDAN KHANNA / AFP) ·CHANDAN KHANNA via Getty Images
How does HIPAA work in the time of a pandemic?
So does HIPAA apply to COVID vaccination status?
The answer is no, according to Haskelson, because the coronavirus is a serious public health risk. Consequently, discussions around vaccination status or status of having COVID are also considered a matter of public health.
“This is like polio,” Haskelson said. “This is not subjective, how you feel about something. This is a world health risk. Whatever your political beliefs are or your religious beliefs are, this is to protect everybody.”
And while Haskelson didn’t think the vaccine question posed to Dak Prescott was necessarily appropriate, it wasn’t the HIPAA violation that Prescott claimed it was for two reasons: a medical provider wasn't being asked about Prescott's health information, and COVID is a public health issue anyway.
Furthermore, because COVID is a public health issue, businesses technically have the right to ask for proof of vaccination status from their customers and workers, with some limitations.
“What I'm not allowed to ask is: ‘If you had COVID, what were the symptoms you had?’” Haskelson said. “Because that's your personal health information. But the concept of the vaccination — because I get asked all the time, ‘They won't let them back in school unless they get a vaccine and all that’ — and I'm like, 'Look, this is public health.'”
Adriana Belmonte is a reporter and editor covering politics and health care policy for Yahoo Finance. You can follow her on Twitter @adrianambells and reach her at [email protected].
