The “P” in HIPAA doesn’t stand for privacy
By Tom Baxter
Exactly why do we need the Health Insurance Portability and Accountability Act of 1996, or HIPAA, as we call it today?
There are some perfectly reasonable answers to that question. But from time to time that question should be asked concerning any law which has spread its wings as widely as HIPAA has.
When she was asked back in July if she had been vaccinated for COVID-19, Rep. Marjorie Taylor Greene said the question itself was a violation of her HIPAA rights.
“You see, with HIPAA rights, we don’t have to reveal our medical records, and that also involves our vaccine records,” Greene said.
This touched off a spate of stories, the daily grist of the culture war, about why that wasn’t accurate. But it was a popular inaccuracy. HIPAA has come up frequently during the pandemic, in debates over masks, proof of vaccination and other issues. Greene’s answer reflects widely held misconceptions about what HIPAA was supposed to do, and it hints at the complexities of a law which not even its defenders thinks is perfect.
As the title suggests, privacy issues were not the first or even the second thing the framers of the law, Democratic Sen. Ted Kennedy and Republican Sen. Nancy Kassebaum, had in mind. HIPAA was in some respects a precursor of the Affordable Care Act. It made it easier for people to continue carrying their health insurance between jobs, and put some limits on what insurers could reject as a pre-existing condition. At the time it was viewed as a feeble substitute for the healthcare legislation Kennedy had put forward the previous year. Today it looks like a marvel of bipartisanship.
Much of the law was intended to address technological developments which were relatively new at the time, allowing for dramatically faster transfers of medical information with the attendant risk that electronic files could be hacked. Privacy was of course an important consideration in all this, but HIPAA’s reach is relatively narrow in this respect.
Whole forests have been chopped down to produce all the HIPAA-generated privacy notifications required of health care providers and insurers, which must comply with a dense thicket of privacy regulations. That may be why so many people think of HIPAA as a broad guarantee of privacy, but its strict requirements only apply to the medical-insurance complex. HIPAA establishes the right to know who has seen your medical records and includes protections against the misuse of data, but it was never intended to establish “HIPAA rights” in the broad sense. HIPAA has nothing to say about whether an airline can demand proof of vaccination before letting you board, a school can require your child to wear a mask, or an employer can terminate you if you’re not vaccinated.
Some of HIPAA’s critics think it doesn’t go far enough, even within the medical field, to insure patient privacy. Former Congressman Ron Paul and his son, U.S. Rwp. Rand Paul have waged a multi-generational, so-far successful effort to block the HIPAA provision establishing a National Patient Identifier system to make it easier to track patients’ information across many providers’ data bases. Patients would have a number, like a social security number, which would travel with any of their medical files.
The Pauls and their allies condemn this as a government tracking system. Advocates for the system say it protects the privacy of patients while allowing for the use of their medical information, and protects against potentially dangerous mix-ups of information from different providers There is some chance the Senate will remove a ban on funding, but it has only until the end of this month to do so.
Other critics say HIPAA goes too far, creating a lot of administrative paperwork that doesn’t really do that much to insure privacy, and slowing the pace of necessary medical research.
The year of HIPAA’s passage, 1996, is significant. That’s not so long ago by some lights, but it’s a very long time in terms of digital technology and national medical policy. It should probably be revisited, one of these days when Congress has nothing more important to attend to.