HIPAA was enacted 25 years ago. Today it's wrongly being used to justify keeping COVID status secret.
Does the Health Insurance Portability and Accountability Act – better known as HIPAA – make it illegal to disclose someone's COVID-19 vaccine status?
"That's absurd," said Donna Shalala.
Shalala would know. She wrote the HIPAA regulations when she was Secretary of Health and Human Services from 1993 to 2001.
Saturday marks the 25th anniversary of the law's enactment and she's happy to clear up any confusion.
She laughed when reminded of people such as Georgia Republican Rep. Marjorie Taylor Greene and Dallas Cowboy quarterback Dak Prescott, who cited the law as an excuse to not say whether they've had COVID-19 or are vaccinated.
"People still say to me, 'I can't do that because of HIPAA,'" Shalala said. "I tell them, 'I wrote HIPAA, and you can.'"
HIPAA has been invoked so often, and so incorrectly, that memes about it abound. One compares the actual law with the nonexistent HIPPA or "Health Information Privacy Protection Act" and a hippo.
How a 25-year-old law got caught up in the pandemic is a story of misdirection and excuses, made all the more easy because so few today remember why it was passed in the first place.
Fact check: Businesses can legally ask if patrons have been vaccinated. HIPAA does not apply.
A little HIPAA history
Back in 1995, nobody was worried about pandemics but everybody was worried about something called "job lock."
Almost all employer-based health insurance at the time had pre-existing condition clauses. If someone moved jobs and had cancer or heart disease or some other expensive medical condition, their new insurance could and often did refuse to cover it for up to 12 months.
That meant people were locked into their jobs because if they moved to a new one, they might have to deal with waiting periods and exclusions, meaning they were on the hook for any related costs until the pre-existing condition wait period was over.
Some researchers at the time estimated job lock reduced the turnover rate among people who had employer-provided health insurance by as much as 25%.
"It was a huge issue," said Ken Thorpe, chair of health policy and management at the Rollins School of Public Health at Emory University.
HIPAA was created in part to fix the problem.
That's why the law has "portability" in its title, because it made health care portable. It also nudged health care providers to move to electronic medical records and gave individuals access to their own medical records and the right to amend them, among other things.
Privacy came years later
The part of HIPAA that gets all the attention now was added years later. Once passed, the law gave Congress two years to craft a privacy portion. If Congress didn't act, the job would fall to the Secretary of Health and Human Services.
"So we came up with the idea that health information should only be used for health care purposes," said Shalala. The simple idea took another eight years and beyond.
The privacy portion of HIPAA went into effect in 2003 and the security rule didn't come until 2004. HHS didn't get full power to investigate HIPAA complaints until 2006 when the enforcement rule was enacted.
"When people say HIPAA, they think about the privacy rules," said Deven McGraw, chief regulatory officer for Ciitizen, a service that helps patients collect and share their medical records. "But in fact, those rules lagged."
The privacy provisions said an insurance company, doctor or pharmacy could only use medical information about a patient to treat that patient. They couldn't sell it to someone else or use it for marketing.
Shalala said she was worried the Office of Management and Budget, "which was often a nightmare," wouldn't sign off on the regulations. But OMB head Alice Rivlin cleared it right away.
Surprised, Shalala called and asked why. Rivlin told her she took a certain drug for a medical condition and got it at her local pharmacy. Soon she started to get ads in the mail for competing drugs.
The pharmacy, it turned out, had sold its patient list to a marketing firm. Shalala said Rivlin wasn't happy companies and marketers she'd never talked to had been sold personal details about her medical condition.
"Now I understand," Shalala recalled her saying.
People have control over privacy
Today such protections are so accepted no one pays attention to them, but at the time it was revolutionary.
"It's that piece of paper that says 'Privacy Notice' the nurse gives you that everyone throws away," said Juliana Reno, an employee benefits lawyer with the law firm Venable in New York City.
The privacy portion only applies to what are known as "covered entities," generally health care plans and providers. An insurance company can't collect your medical information and then turn around and sell it to a life insurance company. A doctor's office can't sell information about its patients and the drugs they take to pharmaceutical companies.
The law has done a good job protecting against such patient privacy breaches, experts say. As Thorpe said, 25 years later "nobody talks about job lock."
Individuals, however, have total control over their own information and always have.
"There's nothing that says an individual can't walk out onto a roadway and yell out, 'I have AIDS' or 'I'm vaccinated,'" said Reno.
Patients have ultimate authority over what information their medical providers can release information about them
That's why medical privacy advocates cried foul when President Donald Trump was hospitalized for COVID-19 in October. At the time, his doctors said they couldn't share information about his case because of HIPAA rules.
Actually, what it meant was Trump had not given them permission to release his information. If he had, they would have been free to do so.