Understanding the Health Insurance Portability and Accountability Act (HIPAA)

Anyone who is injured in an accident will need medical care from hospitals, doctors, and other healthcare providers. According to HIPAA, medical care providers need to take steps to protect the healthcare information for each patient (obtained during these medical visits for accident victims) from being disclosed or shared – without the consent of the patient. HIPAA protections generally apply to patient electronic information. Since most medical records are kept electronically (even if there’s also a paper trail), HIPAA governs most medical records.

While HIPAA does have a privacy rule, the “P” in HIPAA does not stand for “Privacy.”

The privacy rule sets standards for the use and disclosure of a patient’s health information – called “protected health information” (PHI) by “covered entities.” HIPAA’s privacy rule also provides standards for the ability of a patient to understand his/her rights and to control how their health information is used. The HIPAA privacy rule, according to the CDC, “seeks to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.”

Covered entities generally include:

• Health care providers. These entities include hospitals, doctors, pharmacies, and any entities that send/receive electronic health information. Examples of electronic health information include claims, questions about eligibility, requests for referrals, and other covered transactions.
• Health plans. This includes any entity that pays for health coverage. Examples include insurance companies, HMOs, Medicare, Medicaid, Medicare+Choice, Medicare supplement plans, and some other covered plans.
• Health care clearinghouses. These are entities that process medical data.
• Business associates. The HIPAA privacy rule also applies to “business associates” or contractors who manage medical records in some manner for the covered entities.

Another rule, a security rule, was issued to protect a “subset” of the information covered by the privacy rule.

The HIPAA privacy rule explains why the covered entities:

• Need to obtain the patient’s consent to certain uses of their electronic health information
• Need to verify their identity before talking about health care issues
• Must use “secure, HIPAA-compliant channels and patient portals”

In addition to the privacy and security rules, there are rules, according to Vox, to “prevent health care fraud, simplify and standardize medical records, rules for pre-tax employee medical savings accounts, and to ensure continuous health insurance coverage for employees who lost or changed their jobs.”

Patients who think their HIPAA rights have been violated “can complain to the HHS Office of Civil Rights.  This office can take action against the medical offender. Patients don’t have a direct legal action against the covered entity.

When is a patient consent or authorization not required to comply with HIPAA?

According to the CDC, covered entities are “permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:”

• “Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual)”
• “Treatment, payment, and healthcare operations”
• The discussion about whether the patient agrees or objects to the disclosure of the PHI.
• “Incident to an otherwise permitted use and disclosure”
• Matters in the public interest.

HIPAA laws and coronavirus measures

So, let’s talk about those matters of public interest for a minute. Public interest and benefit matters include things such as:

• If the disclosure is required by law
• Matters of public health and “essential government functions”
• If a person is a victim of abuse, neglect, or domestic violence
• Matters involving law enforcement, such as administrative and judicial hearings or proceedings
• Specific functions involving a deceased person – such as identification of the deceased person
• Cadaveric organ, eye, or tissue donation
• Some types of research
• Cases involving workers’ compensation
• “To prevent or lessen a serious threat to health or safety”

“To prevent or lessen a serious threat to health of safety” means that during a pandemic, your vaccine status may be required in order for you to do certain things. It means that businesses can take yours temperature before you enter a building, and are allowed to request information for contact tracing HIPAA laws do not allow you to avoid wearing a mask where masks are required, and they don’t make “vaccine passports” required by private businesses illegal – even though some people, according to Vox, have tried to make that assertion.

Also, during the COVID-19 pandemic, some of the protections for health information have been waived for patients’ benefit. For example: “The Office of Civil Rights will not be enforcing its rule requiring health care providers to use HIPAA-compliant portals for telehealth. Nor will it require covered entities to use HIPAA-compliant systems to schedule vaccines.”

Related privacy laws and policies

The Americans with Disabilities Act requires that employers keep disability-related information about employees confidential.

Doctors are bound by the Hippocratic Oath (which isn’t a law, just a medical policy) that requires that doctors keep patient information confidential to establish the trust needed for the patient to speak freely about his/her medical disorders.

A lot of information that is medical in nature isn’t covered by HIPAA. For example:

• A selfie you take of your vaccine that you post on social media
• Membership in a Facebook medical support group
• A heart rate monitor you wear on your wrist
• Searches for medical information on the Internet
• A mail-order DNA test

While health providers are generally covered by HIPAA, schools, employers, life insurance companies, and other entities aren’t normally covered by HIPAA – though they may be covered by other privacy laws.

At Philbrook Law Office, our Vancouver and Battle Ground, Washington personal injury lawyers understand that receiving quality medical care is the first priority for most victims of car accidents, slips and falls, construction accidents, or any other type of accident. Obtaining the release of medical information if a loved one dies due to the fault of others can be very complex.

We work with your medical team to verify the types of injuries you have and the treatments you’ll need. We demand compensation for all your injuries including your medical expenses, income loss, and your pain and suffering. If you were injured in any type of accident, call our offices at 360-695-3309 or use our contact form to schedule an appointment.