It sounds like hippo, but HIPAA has nothing to do with giant amphibious mammals. It’s a healthcare privacy law — standing for Health Insurance Portability and Accountability Act — that took effect in 2003.
It impacts your private medical information — but probably in ways different than you might think.
Most of us don’t need to know the details (and would probably find them dull). But some misinformation has spread online, so it’s a good time to clarify a few basic facts.
HIPAA permits sharing of your health info — under certain conditions
The way HIPAA protects your private medical information is specific: It outlines how healthcare organizations and insurance companies that transmit information electronically can share your info.
For example, your doctor can share your medical records with a specialist they are consulting with or referring you to for your care, but they can’t share them with, say, your employer unless you expressly give permission.
Lenny Sanchez, a lawyer and director of patient privacy for UW Medicine Compliance, offers another example: If your doctor filled out Family and Medical Leave Act (FMLA) paperwork for you and stored it in your patient records, then it’s protected by HIPAA. However, if you or your doctor submit it to HR, it’s no longer protected by HIPAA.
“It’s the exact same information, but different rules would govern its protection depending on why the organization received it,” he says.
HIPAA only protects certain types of health info
Only information classified as “protected health information” (aka PHI) that is individually identifiable is protected under HIPAA. So, what exactly does that mean?
“The information must explicitly identify you or provide a reasonable basis for identifying you, and it must be demographic or clinical information collected or created by your doctor to deliver care or obtain reimbursement or payment for services,” Sanchez explains.
PHI includes your diagnoses, treatment plans, medical history and test results, plus personal demographic information, such as your address, birth date and social security number. However, when this information is de-identified — so no one could trace the medical information back to you, for example — it is no longer considered PHI.
HIPAA also prohibits doctors from sharing identifiable patient information in photographs or videos without the patient’s awareness or written consent. For example, if a doctor wants to share your X-rays to their social media and talk about your case in a manner that could identify you, they have to get your permission first. And if a film crew is documenting the work of emergency physicians and you happen to be a patient in the ER, they can’t film or record you in any identifiable way without your approval.
HIPAA applies to breakroom chats, with limits
While HIPAA does apply to how your healthcare team discusses (or doesn’t discuss) the details of your care in public settings, it doesn’t outright prevent them from doing so.
“HIPAA requires healthcare providers to implement ‘reasonable safeguards’ to limit disclosures that occur in the ordinary course of business to an acceptable degree,” Sanchez explains. “Nobody’s resources are limitless, so there's always a practical balance between the resources of the clinic and the patient’s privacy interests.”
For example, in a clinic waiting room, people at the front desk are allowed to discuss your health information with you while you’re making an appointment or checking in. This means that, sometimes, other people in the waiting room may be able to hear what is being discussed, even though it’s private information. There’s no real way around that: It wouldn’t be reasonable or feasible to, say, create soundproof spaces or make employees talk in whispers.
Sometimes, in situations like the waiting room example above, people may feel that their private information is being talked about too publicly.
“A typical situation would be a nurse spoke too loudly, the person at the registration desk asked about your background in a waiting room full of people, or the patient believes their info was shared inappropriately,” he says.
However, unless your info was shared in a way that flouted reasonable safeguards, it isn’t necessarily a HIPAA violation. And it's important to recognize that compliance teams at hospitals do a lot of work behind-the-scenes to make sure patients’ information is protected and that they have a positive experience when seeking care, Sanchez says.
All patients have the right to access their medical info
Under HIPAA, you have a right to access your PHI, ask for corrections to be made to your medical records and file a privacy complaint if you feel your rights have been violated while receiving care.
Every organization that is covered by HIPAA, such as a hospital, will have a privacy officer or a team to help you if you have questions or need to file a complaint.
“It can feel overwhelming for patients to come to an academic medical center to receive care and understand their rights. We’re here to be a resource for patients and to help them navigate complex issues,” Sanchez says.