HIPAA, not HIPPA: Common Misunderstandings and Clarifications of the Law

The COVID-19 pandemic has resulted in an outpouring of information to the general public, much of it inaccurate. Healthcare related law has not been immune to misinformation and related laws have been incorrectly cited and applied by leadership and citizens alike. The spread of misinformation is especially dangerous during a pandemic, as it can stifle recovery efforts and lend itself to an increase in the infection rate. Recently, a spike in incorrect claims related to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) have circulated from a variety of sources, including governmental ones. Because HIPAA is widely cited, but sometimes misunderstood, a brief synopsis of the law follows.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 or HIPAA, is a federal law created to address the transmission of healthcare information, to establish how personal information is protected by healthcare providers from fraud, and to address the limitations on insurance coverage. The HIPAA “Privacy Rule” created guidelines for “covered entities” (healthcare providers, health plans, healthcare clearinghouses) concerning the use and disclosure of Protected Health Information (“PHI”). This Briefing does not focus on the HIPAA “Security Rule” which pertains to the use and disclosure of electronic PHI.

Who is required to follow HIPAA guidelines?

As stated above, individuals, organizations, and agencies that meet the definition of a “covered entity” under HIPAA must comply with requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. Covered entities include, but are not limited to, the following:

Other than the above types of covered entities, and their business associates, other individuals, businesses, and organizations are generally not subject to HIPAA guidelines concerning the use or disclosure of PHI. However, other privacy laws and regulations (including state requirements) may be applicable to the release of such personal information.

What information is protected under the Privacy Rule?

HIPAA limits covered entities in their use and disclosure of PHI. Under HIPAA, PHI is defined as all individually identifiable health information held or transmitted by a covered entity (or its business associates) in any form. Individually identifiable health is the demographic data that includes information about:

• The individual’s past, present or future medical condition (physical and mental)

• The provision of healthcare to an individual; or

• Past, present, or future payment for provision of healthcare to an individual

It should be noted, under the Privacy Rule, that employment records that a covered entity maintains in its capacity as an employer are not covered under HIPAA even if they contain health information.

Failure to comply with the Privacy Rule may result in large civil monetary penalties. Additionally, a person who knowingly obtains or discloses information in violation of the Privacy Rule may face criminal penalties as well.

When is disclosure of PHI permitted or required?

A covered entity may not disclose (or use) PHI unless the Privacy Rule permits or requires disclosure, or the subject of the information authorizes disclosure in writing. However, a covered entity must disclose PHI in situations such as the following: (a) to individuals when they request access to their PHI; (b) to the Department of Health and Human Services when it is undertaking a compliance investigation, review, or enforcement action; or (c) when required by law.

Furthermore, a covered entity is permitted to use and disclose an individual’s PHI without an individual’s authorization under the following circumstances:

• A covered entity may disclose protected health information to the individual who is the subject of the information

• A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities

• A covered entity may gain informal permission by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object to disclosure

The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated.

A limited data set may be disclosed without permission for research purposes under the Privacy Rule. A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed.

HIPAA disclosures and COVID-19

Under the HIPAA Privacy Rule, covered entities—without authorization—may disclose the PHI of an individual who has been infected with or exposed to COVID-19 to law enforcement, first responders, and public health authorities.[1] This information may be released when the disclosure is required to provide treatment, when the notification is required by law, or when it is necessary to notify a public health authority to prevent and control the spread of the disease. Except when required by law (or for treatment disclosures), a covered entity must make reasonable efforts to limit the information used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure.

Additional information about HIPAA and COVID-19 can be found at: https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf

HIPAA in the future

On December 10, 2020, the federal Office for Civil Rights that enforces the HIPAA rules issued proposed changes to HIPAA to eliminate barriers to coordinated care and to advance value-based health care. Here is a link to the proposed rule:

https://www.hhs.gov/about/news/2020/12/10/hhs-proposes-modifications-hipaa-privacy-rule-empower-patients-improve-coordinated-care-reduce-regulatory-burdens.html#:~:text=The%20proposed%20changes%20to%20the%20HIPAA%20Privacy%20Rule,continuing%20to%20protect%20individuals%E2%80%99%20health%20information%20privacy%20interests.

It is unclear whether these proposed rules will be finalized by the new Biden administration.

Although many businesses and individuals are not subject to HIPAA guidelines, an understanding of HIPAA’s applicability can help to combat the rampant misinformation related to all things COVID-19. In this environment of uncertainty and fear, knowledge and a clear understanding of applicable law is paramount to help prevent further infections.

Our team has extensive experience with HIPAA rules and regulations. If you have any questions about this Legal Briefing, please contact any member of our Firm at (585) 730-4773. Please note that any embedded links to other documents may expire in the future.

This Legal Briefing is intended for general informational and educational purposes only and should not be considered legal advice or counsel. The substance of this Legal Briefing is not intended to cover all legal issues or developments regarding the matter. Please consult with an attorney to ascertain how these new developments may relate to you or your business. © 2020 Law Offices of Pullano & Farrow PLLC

[1] See: https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf