How HIPAA Works, Explained

HIPAA gives patients rights, but some of them are misunderstood.
HIPAA gives patients rights, but some of them are misunderstood. / designer491/iStock via Getty Images

In 1996, a new federal law was enacted to help protect the confidential medical information of citizens. Dubbed the Health Insurance Portability and Accountability Act, or HIPAA, the law mandated strict disclosure policies for health care providers and associated parties when it comes to sharing information about patients.

The requirements of HIPAA are relatively straightforward, but thanks to the byzantine world of government and federal law, it can be easy to get lost when it comes to defining what HIPAA does and does not do. Take a look at some common questions regarding the law and how it helps keep privileged information about a person’s medical history private.

What is HIPAA?

HIPAA is not by itself an actual policy. The Health Insurance Portability and Accountability Act of 1996 was passed to require national standards to be implemented that protected private medical information from being disclosed without a patient’s knowledge or consent. To fulfill this requirement, the United States Department of Health and Human Services (HHS) created the HIPAA Privacy Rule, which was enforced beginning in 2003. It’s this rule that restricts health care providers from sharing patient information without permission.

What does HIPAA do?

HIPAA and the resulting HIPAA Privacy Rule protect patient confidentiality by requiring health care providers to obtain consent before disclosing a person’s medical history to another entity. (They can, however, share information with other providers in the course of treatment without authorization.)

Who does HIPAA apply to?

In addition to physicians, the HIPAA Privacy Rule applies to any entity that processes health care data for reasons relating to billing, coding, claims processing, referrals, and other transactions related to health insurance.

Who does HIPAA not apply to?

A covered entity may disclose medical information if it’s needed in the course of obtaining treatment, payment, or needed for health care operations. For example, a health insurance company may disclose information to another health insurance company for the purpose of coordinating patient care. Or, a doctor may tell a receptionist to schedule a patient because follow-up is needed for a specific medical condition.

Health information may also be disclosed if it’s deemed to be in the public interest. Medical data may be shared without permission if there’s a public health issue; if the patient is a victim of abuse; if it pertains to law enforcement; organ donations; or workers' compensation, among other exceptions.

Additionally, HIPAA does not cover disclosure of basic medical information requested by parties like members of the clergy or media telephoning hospitals and requesting information. The patient would have to voice an objection. Not does it cover “de-identified” health information. A doctor, for example, might tell a spouse they have a patient with a broken leg. Providing the patient’s name is not used, that would not be a HIPAA violation.

Does HIPAA preclude someone inquiring about a health issue?

HIPAA does not attempt to structure whether an individual is able to inquire about someone’s health history. If a co-worker asks if you have a cold, this is not a HIPAA violation. If a co-worker phones your doctor about your cold and the doctor responds, that would be a HIPAA violation.

What is a HIPAA violation?

A HIPAA violation can take on countless forms, but it generally boils down to a medical provider or medical industry professional disclosing patient information without consent. According to the U.S. Department of Health and Human Services, one case example involved a medical office leaving a telephone message for a patient at a home number when the patient requested they be phoned at work. The message contained confidential medical information.

Another example involved a provider who discussed treatment plans for a communicable disease in a waiting room and within earshot of others.

What is the HIPAA Security Rule?

The HIPAA Security Rule is related to the HIPAA Privacy Rule. It instructs providers to use appropriate measures to protect patient information that’s being handled electronically. That might mean being aware of cybersecurity threats and training employees on how to securely transmit information.

Does HIPAA apply to employers?

Yes and no. HIPAA covers medical providers, not employers. It would not prevent an employer from disclosing your work history if it involved health-related information—that you were late one day because you were ill, for example. Your employer can also ask for medical information when it’s related to sick leave, workers’ compensation, or health insurance. Your health care provider could not disclose that information, however, without your consent.

Does HIPAA prevent employers from inquiring about vaccination status?

No. HIPAA applies to medical providers, not employers. An employer would be asking the employee to share that information directly. It would be up to the employee to decide whether to share their status or not. It would be up to the employer to determine whether the absence of information about an employee’s vaccination status influences workplace safety policies, a thorny issue that could require legal consultation.

Is Zoom HIPAA compliant?

When teleconferencing with medical providers, patients may wonder if their information is secure or whether the software being used, like Zoom or Skype, might be able to access that data. In short, these services are not typically HIPAA-compliant unless they expressly state as much. Zoom for Healthcare is a specific Zoom conferencing software that abides by HIPAA. So does Skype for Business. But standard versions of these applications do not.

How can you report a HIPAA violation?

If you suspect your medical information has been shared by a health care provider or related entity without authorization and without being covered under the permissible exceptions, you can file a complaint with the Office of Civil Rights within the Department of Health and Human Services.

If the party is found to be in violation, they’ll typically agree to take corrective action to revise their disclosure procedures. A monetary settlement may also be required.

As you’d expect with any law, HIPAA has several nuances, and this is not intended to be a comprehensive overview of its policies. Not is it intended to offer legal advice. You can find out more at the HHS website.