Confusion Over Health Privacy Law Seen Impeding Covid Battle


August 17, 2021 9:21 am

The Health Insurance Portability and Accountability Act is having a moment in the spotlight, but the federal health-care privacy law is in many cases being mischaracterized or misused. 

The 1996 law went viral on social media after politicians and pro-athletes, including Rep. Marjorie Taylor Greene (R-Ga.) and Dallas Cowboys quarterback Dak Prescott, inaccurately cited it as they declined to answer questions about whether they’ve been vaccinated against Covid-19. Nebraska is now pointing to HIPAA as a reason the state’s health department can only release limited data on Covid-19, despite safe harbors in the law.

Attorneys and health scholars worry confusion over what’s actually prohibited can in some cases hurt efforts to control the spread of the virus. 

“Any type of misinformation, any misuse of what different laws exist is a problem,” said Tara Ragone, an assistant professor in the Center for Health & Pharmaceutical Law & Policy at Seton Hall University’s School of Law.

“Do individuals have the right on their own to withhold that information? They certainly have a strong privacy right themselves,” Ragone said. “It’s a question of now balancing that with the public health requirements of what do we need to know as a nation to confront this pandemic.”

Personal Freedoms

People have a right to privacy and can refuse to answer a reporter’s questions about their vaccination status, but HIPAA doesn’t prevent them from doing so.

“You’re free to share your own information,” said Shannon Hartsfield, a partner at Holland & Knight, who’s based in Tallahassee, Fla. and works exclusively in health law. “HIPAA does not stand in the way of your own personal freedoms.”

The law only prevents health-care providers and health insurance companies that transmit health information electronically from releasing a patient’s personal health information without their consent. HIPAA also applies to health-care clearinghouses, which work within the health-care reimbursement system like a billing service, as well as business associates, who work on behalf of a provider, insurer, or clearinghouse and are involved with the use or disclosure of an individual’s identifiable health information.

Somehow over the years, HIPAA has wrongly morphed into a generic term for health privacy.

“It’s just sort of a generic term people are throwing around and it doesn’t really mean what they think it means,” Hartsfield said.

HIPAA doesn’t apply to employers, most schools and school districts, colleges, or private businesses outside of the heath-care context. There may be other laws that limit what health information they’re allowed to request. Some states have passed prohibitions on vaccine passports to prevent private businesses or state and local governments from requiring proof of vaccination in exchange for services.

Limiting Information

One health law scholar said HIPAA is being used in some instances as a shield to withhold more meaningful information about Covid-19 and its spread.

Nebraska started limiting the Covid-19 data it was releasing after Gov. Pete Ricketts (R) ended the state of emergency June 30. The state’s Department of Health and Human Services says it’s restricted by HIPAA from releasing certain data. 

Updates are now weekly instead of daily and include basic numbers on testing, vaccinations, variants, and breakthrough cases. The state is no longer releasing county-by-county data on infection rates or Covid-related deaths. Daily numbers on hospital beds, respirators, or overall staffed beds are also no longer available.

“State and Federal law restricts the release of COVID-related data depending on the source from which it was collected, and whether or not the identity of the individuals involved can be ascertained,” the website says. “The Nebraska Department of Health and Human Services is a covered entity subject to federal restrictions under HIPAA.”

But HIPAA doesn’t apply if 18 specific identifiers are removed, including names, ages, and phone numbers, or a qualified statistician determines there’s very small risk the information could be used to identify an individual.

“It just feels like it’s intentionally vague,” Kelly Dineen, director of the health law program at Creighton University School of Law, said about Nebraska’s Covid-19 data.

She noted the state’s health department in April released a Statistical Report on Abortions in 2020 that gives numbers by county and age. “It’s funny they can find a way to report data down to the county and age for something like abortions,” but not Covid-19, she said.

Before the public health emergency ended, Dineen said, the state had been reporting Covid-19 information in a meaningful way, where the public could see statistics on testing and just how sharply case counts are rising. Without that data, she said it’s hard for people to assess their level of risk.

“Nebraska is one of those places where masking is hotly contested, but even if you wanted to follow the CDC’s recommendation, it’s really hard to know if you’re sitting in a place where the transmission is significant,” she said.

A group of 11 state senators led by Machaela Cavanaugh (D) sent a letter to the governor Aug. 11 asking him to reinstate the Nebraska’s Covid-19 dashboard with daily updates from all 93 counties “to enable all Nebraskans to make informed decisions with the most up-to-date information.” 

“Basic numbers shared on a weekly basis is not enough,” they said.

HIPAA Exceptions

There are exceptions baked into HIPAA that allow entities covered by the law to disclose protected health information to prevent or control disease. They may also disclose protected health information to prevent or lessen a serious and imminent threat to public health or safety, as long as they’re only disclosing the minimum data necessary and the disclosure is to someone reasonably able to prevent or lessen the threat.

Attorneys and health law experts disagree on whether the public would qualify as the “someone reasonably able to prevent or lessen the threat.” 

In a statement, Nebraska’s health department said while there are certain provisions that permit minimally necessary releases under special situations, in general the agency must abide by the law when it releases Covid-19 information.

The department went on to cite a steady decline in daily viewership as another reason for removing the daily Covid-19 dashboard.

“With the state of emergency ending and Nebraska’s return to normal, combined with the steady decline in public interest in the dashboard, there was no immediate need to continue updating this information,” the agency wrote.

Need for Reliable Data 

Delta is now the dominant strain of coronavirus circulating in the U.S. Because it’s more infectious and contagious than the other variants, the Centers for Disease Control and Prevention reinstated its recommendation that people wear masks indoors in areas where cases are high even if they’re fully vaccinated.

That’s why heath law experts say the public needs reliable data about cases.

“What people really need to know to protect themselves is, what are the cases in their area? Is there a surge?” said Tara Sklar, a professor of health law at the University of Arizona College of Law.

“There’s no reason for a public health authority to not disclose that aggregated de-identified information. It’s not giving out anybody’s Social Security number, name, or phone number. There’s no way in revealing that information you can say, ‘I know Tara Sklar is Covid-positive as of this date.’”